4 +--------------------------------------------------------------------+
5 | Copyright CiviCRM LLC. All rights reserved. |
7 | This work is published under the GNU AGPLv3 license with some |
8 | permitted exceptions and without any warranty. For full license |
9 | and copyright information, see https://civicrm.org/licensing |
10 +--------------------------------------------------------------------+
16 * @copyright CiviCRM LLC https://civicrm.org/licensing
20 namespace api\v
4\Query
;
22 use api\v
4\UnitTestCase
;
23 use Civi\API\Exception\UnauthorizedException
;
24 use Civi\Api4\Contact
;
26 use Civi\Api4\Participant
;
31 class PermissionCheckTest
extends UnitTestCase
{
34 * Clean up after test.
38 public function tearDown(): void
{
39 \CRM_Utils_Hook
::singleton()->reset();
40 $config = \CRM_Core_Config
::singleton();
41 unset($config->userPermissionClass
->permissions
);
47 public function testGatekeeperPermissions() {
48 $config = \CRM_Core_Config
::singleton();
49 $config->userPermissionClass
->permissions
= [
54 // Above permissions should be sufficient to perform Event::get
55 Event
::get()->execute();
57 $config->userPermissionClass
->permissions
= [];
58 // Ensure error is thrown if permissions are not sufficient
60 Event
::get()->execute();
62 catch (UnauthorizedException
$e) {
63 $err = $e->getMessage();
65 $this->assertStringContainsString('Authorization failed', $err);
69 * Tests that gatekeeper permissions are enforced for implicit joins
71 public function testImplicitJoinPermissions() {
72 $config = \CRM_Core_Config
::singleton();
73 $config->userPermissionClass
->permissions
= [
78 'view event participants',
80 $name = uniqid(__FUNCTION__
);
81 $event = Event
::create(FALSE)
82 ->addValue('title', 'ABC123 Event')
83 ->addValue('event_type_id', 1)
84 ->addValue('start_date', 'now')
86 $contact = Contact
::create(FALSE)
87 ->addValue('first_name', $name)
88 ->addChain('participant', Participant
::create()
89 ->addValue('contact_id', '$id')
90 ->addValue('event_id', $event['id']),
93 $participant = Participant
::get()
94 ->addSelect('contact.first_name', 'event.title')
95 ->addWhere('event.id', '=', $event['id'])
99 $this->assertEquals('ABC123 Event', $participant['event.title']);
100 $this->assertEquals($name, $participant['contact.first_name']);
102 // Remove access to view events
103 $config->userPermissionClass
->permissions
= [
107 'view event participants',
109 $participant = Participant
::get()
110 ->addSelect('contact.first_name')
111 ->addSelect('event.title')
112 ->addWhere('id', '=', $contact['participant']['id'])
116 $this->assertTrue(empty($participant['event.title']));
117 $this->assertEquals($name, $participant['contact.first_name']);
122 * Tests that gatekeeper permissions are enforced for explicit joins
124 public function testExplicitJoinPermissions() {
125 $config = \CRM_Core_Config
::singleton();
126 $config->userPermissionClass
->permissions
= [
131 'view event participants',
133 $name = uniqid(__FUNCTION__
);
134 $event = Event
::create(FALSE)
135 ->addValue('title', 'ABC321 Event')
136 ->addValue('event_type_id', 1)
137 ->addValue('start_date', 'now')
138 ->execute()->first();
139 $contact = Contact
::create(FALSE)
140 ->addValue('first_name', $name)
141 ->addChain('participant', Participant
::create()
142 ->addValue('contact_id', '$id')
143 ->addValue('event_id', $event['id']),
145 ->execute()->first();
146 $participant = Participant
::get()
147 ->addJoin('Contact AS contact1', 'INNER', ['contact1.id', '=', 'contact_id'])
148 ->addJoin('Event AS event1', 'INNER')
149 ->addSelect('contact1.first_name', 'event1.title')
150 ->addWhere('event1.id', '=', $event['id'])
154 $this->assertEquals('ABC321 Event', $participant['event1.title']);
155 $this->assertEquals($name, $participant['contact1.first_name']);
157 // Remove access to view events
158 $config->userPermissionClass
->permissions
= [
162 'view event participants',
164 $participant = Participant
::get()
165 ->addJoin('Contact AS contact1', 'INNER', ['contact1.id', '=', 'contact_id'])
166 ->addJoin('Event AS event1', 'INNER')
167 ->addSelect('contact1.first_name')
168 ->addSelect('event1.title')
169 ->addWhere('id', '=', $contact['participant']['id'])
173 $this->assertTrue(empty($participant['event1.title']));
174 $this->assertEquals($name, $participant['contact1.first_name']);