<?php
/*
+--------------------------------------------------------------------+
- | CiviCRM version 5 |
- +--------------------------------------------------------------------+
- | Copyright CiviCRM LLC (c) 2004-2018 |
- +--------------------------------------------------------------------+
- | This file is a part of CiviCRM. |
- | |
- | CiviCRM is free software; you can copy, modify, and distribute it |
- | under the terms of the GNU Affero General Public License |
- | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
- | |
- | CiviCRM is distributed in the hope that it will be useful, but |
- | WITHOUT ANY WARRANTY; without even the implied warranty of |
- | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
- | See the GNU Affero General Public License for more details. |
+ | Copyright CiviCRM LLC. All rights reserved. |
| |
- | You should have received a copy of the GNU Affero General Public |
- | License and the CiviCRM Licensing Exception along |
- | with this program; if not, contact CiviCRM LLC |
- | at info[AT]civicrm[DOT]org. If you have questions about the |
- | GNU Affero General Public License or the licensing of CiviCRM, |
- | see the CiviCRM license FAQ at http://civicrm.org/licensing |
+ | This work is published under the GNU AGPLv3 license with some |
+ | permitted exceptions and without any warranty. For full license |
+ | and copyright information, see https://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
/**
* @package CRM
- * @copyright CiviCRM LLC (c) 2004-2018
+ * @copyright CiviCRM LLC https://civicrm.org/licensing
*/
class CRM_Contact_BAO_DashboardContact extends CRM_Contact_DAO_DashboardContact {
+
+ /**
+ * @param array $record
+ *
+ * @return CRM_Contact_DAO_DashboardContact
+ * @throws \CRM_Core_Exception
+ */
+ public static function writeRecord(array $record): CRM_Core_DAO {
+ self::checkEditPermission($record);
+ return parent::writeRecord($record);
+ }
+
+ /**
+ * @param array $record
+ * @return CRM_Contact_DAO_DashboardContact
+ * @throws CRM_Core_Exception
+ */
+ public static function deleteRecord(array $record) {
+ self::checkEditPermission($record);
+ return parent::deleteRecord($record);
+ }
+
+ /**
+ * Ensure that the current user has permission to create/edit/delete a DashboardContact record
+ *
+ * @param array $record
+ * @throws CRM_Core_Exception
+ * @throws \Civi\API\Exception\UnauthorizedException
+ */
+ public static function checkEditPermission(array $record) {
+ if (!empty($record['check_permissions']) && !CRM_Core_Permission::check('administer CiviCRM')) {
+ $cid = !empty($record['id']) ? self::getFieldValue(parent::class, $record['id'], 'contact_id') : $record['contact_id'];
+ if ($cid != CRM_Core_Session::getLoggedInContactID()) {
+ throw new \Civi\API\Exception\UnauthorizedException('You do not have permission to edit the dashboard for this contact.');
+ }
+ }
+ }
+
}
projects / civicrm-core.git / blobdiff