return $values;
}
+ /**
+ * @inheritDoc
+ */
+ public function addSelectWhereClause() {
+ $clauses = parent::addSelectWhereClause();
+ if (!CRM_Core_Permission::check('view all activities')) {
+ $permittedActivityTypeIDs = self::getPermittedActivityTypes();
+ if (empty($permittedActivityTypeIDs)) {
+ // This just prevents a mysql fail if they have no access - should be extremely edge case.
+ $permittedActivityTypeIDs = [0];
+ }
+ $clauses['activity_type_id'] = ('IN (' . implode(', ', $permittedActivityTypeIDs) . ')');
+ }
+ return $clauses;
+ }
+
/**
* Get an array of components that are accessible by the currenct user.
*
$followupParams['target_contact_id'] = $params['target_contact_id'];
}
- $followupParams['activity_date_time'] = CRM_Utils_Date::processDate($params['followup_date'],
- $params['followup_date_time']
- );
+ $followupParams['activity_date_time'] = $params['followup_date'];
$followupActivity = self::create($followupParams);
return $followupActivity;
return FALSE;
}
+ if (!self::hasPermissionForActivityType($activity->activity_type_id)) {
+ // this check is redundant for api access / anything that calls the selectWhereClause
+ // to determine ACLs.
+ return FALSE;
+ }
// Return early when it is case activity.
// Check for CiviCase related permission.
if (CRM_Case_BAO_Case::isCaseActivity($activityId)) {
return self::isContactPermittedAccessToCaseActivity($activityId, $action, $activity->activity_type_id);
}
- // Component related permissions.
- $allow = self::hasPermissionForActivityType($activity->activity_type_id);
-
// Check for this permission related to contact.
$permission = CRM_Core_Permission::VIEW;
if ($action == CRM_Core_Action::UPDATE) {
$targetID = CRM_Utils_Array::key('Activity Targets', $activityContacts);
// Check for source contact.
- if ($allow) {
- $sourceContactId = self::getActivityContact($activity->id, $sourceID);
- // Account for possibility of activity not having a source contact (as it may have been deleted).
- $allow = $sourceContactId ? CRM_Contact_BAO_Contact_Permission::allow($sourceContactId, $permission) : TRUE;
+ $sourceContactId = self::getActivityContact($activity->id, $sourceID);
+ // Account for possibility of activity not having a source contact (as it may have been deleted).
+ $allow = $sourceContactId ? CRM_Contact_BAO_Contact_Permission::allow($sourceContactId, $permission) : TRUE;
+ if (!$allow) {
+ return FALSE;
}
// Check for target and assignee contacts.
- if ($allow) {
- // First check for supper permission.
- $supPermission = 'view all contacts';
- if ($action == CRM_Core_Action::UPDATE) {
- $supPermission = 'edit all contacts';
- }
- $allow = CRM_Core_Permission::check($supPermission);
-
- // User might have sufficient permission, through acls.
- if (!$allow) {
- $allow = TRUE;
- // Get the target contacts.
- $targetContacts = CRM_Activity_BAO_ActivityContact::retrieveContactIdsByActivityId($activity->id, $targetID);
- foreach ($targetContacts as $cnt => $contactId) {
+ // First check for supper permission.
+ $supPermission = 'view all contacts';
+ if ($action == CRM_Core_Action::UPDATE) {
+ $supPermission = 'edit all contacts';
+ }
+ $allow = CRM_Core_Permission::check($supPermission);
+
+ // User might have sufficient permission, through acls.
+ if (!$allow) {
+ $allow = TRUE;
+ // Get the target contacts.
+ $targetContacts = CRM_Activity_BAO_ActivityContact::retrieveContactIdsByActivityId($activity->id, $targetID);
+ foreach ($targetContacts as $cnt => $contactId) {
+ if (!CRM_Contact_BAO_Contact_Permission::allow($contactId, $permission)) {
+ $allow = FALSE;
+ break;
+ }
+ }
+
+ // Get the assignee contacts.
+ if ($allow) {
+ $assigneeContacts = CRM_Activity_BAO_ActivityContact::retrieveContactIdsByActivityId($activity->id, $assigneeID);
+ foreach ($assigneeContacts as $cnt => $contactId) {
if (!CRM_Contact_BAO_Contact_Permission::allow($contactId, $permission)) {
$allow = FALSE;
break;
}
}
-
- // Get the assignee contacts.
- if ($allow) {
- $assigneeContacts = CRM_Activity_BAO_ActivityContact::retrieveContactIdsByActivityId($activity->id, $assigneeID);
- foreach ($assigneeContacts as $cnt => $contactId) {
- if (!CRM_Contact_BAO_Contact_Permission::allow($contactId, $permission)) {
- $allow = FALSE;
- break;
- }
- }
- }
}
}
* @return bool
*/
protected static function isContactPermittedAccessToCaseActivity($activityId, $action, $activityTypeID) {
- $allow = FALSE;
- foreach (['access my cases and activities', 'access all cases and activities'] as $per) {
- if (CRM_Core_Permission::check($per)) {
- $allow = TRUE;
- break;
- }
- }
-
- // Check for case specific permissions.
- if ($allow) {
- $oper = 'view';
- if ($action == CRM_Core_Action::UPDATE) {
- $oper = 'edit';
- }
- $allow = CRM_Case_BAO_Case::checkPermission($activityId,
- $oper,
- $activityTypeID
- );
+ $oper = 'view';
+ if ($action == CRM_Core_Action::UPDATE) {
+ $oper = 'edit';
}
+ $allow = CRM_Case_BAO_Case::checkPermission($activityId,
+ $oper,
+ $activityTypeID
+ );
return $allow;
}
*
* @return array
*/
- public static function getPermittedActivityTypes() {
+ protected static function getPermittedActivityTypes() {
$userID = (int) CRM_Core_Session::getLoggedInContactID();
if (!isset(Civi::$statics[__CLASS__]['permitted_activity_types'][$userID])) {
$permittedActivityTypes = [];
INNER JOIN civicrm_option_group grp ON (grp.id = option_group_id AND grp.name = 'activity_type')
WHERE component_id IS NULL $componentClause")->fetchAll();
foreach ($types as $type) {
- $permittedActivityTypes[$type['activity_type_id']] = $type['activity_type_id'];
+ $permittedActivityTypes[$type['activity_type_id']] = (int) $type['activity_type_id'];
}
Civi::$statics[__CLASS__]['permitted_activity_types'][$userID] = $permittedActivityTypes;
}
$fileValues = CRM_Core_BAO_File::path($value, $params['activityID']);
$customParams["custom_{$key}_-1"] = array(
'name' => $fileValues[0],
- 'path' => $fileValues[1],
+ 'type' => $fileValues[1],
);
}
else {