webtest for CRM-16777

[civicrm-core.git] / Civi / API / Subscriber / PermissionCheck.php

diff --git a/Civi/API/Subscriber/PermissionCheck.php b/Civi/API/Subscriber/PermissionCheck.php
index 49caac2ddcb916746ea059539013848a4df39be8..5801f88226ae1ac473ab98513c05a39c63c38327 100644 (file)
--- a/Civi/API/Subscriber/PermissionCheck.php
+++ b/Civi/API/Subscriber/PermissionCheck.php
@@ -73,7 +73,7 @@ class PermissionCheck implements EventSubscriberInterface {
         return;
       }
 
-      if (!\CRM_Core_Permission::check($permissions)) {
+      if (!\CRM_Core_Permission::check($permissions) and !self::checkACLPermission($apiRequest)) {
         if (is_array($permissions)) {
           $permissions = implode(' and ', $permissions);
         }
@@ -87,4 +87,28 @@ class PermissionCheck implements EventSubscriberInterface {
     }
   }
 
+  /**
+   * Check API for ACL permission.
+   *
+   * @param array $apiRequest
+   *
+   * @return bool
+   */
+  public function checkACLPermission($apiRequest) {
+    switch ($apiRequest['entity']) {
+      case 'UFGroup':
+      case 'UFField':
+        $ufGroups = \CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
+        $aclCreate = \CRM_ACL_API::group(\CRM_Core_Permission::CREATE, NULL, 'civicrm_uf_group', $ufGroups);
+        $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_uf_group', $ufGroups);
+        $ufGroupId = $apiRequest['entity'] == 'UFGroup' ? $apiRequest['params']['id'] : $apiRequest['params']['uf_group_id'];
+        if (in_array($ufGroupId, $aclEdit) or $aclCreate) {
+          return TRUE;
+        }
+        break;
+    }
+
+    return FALSE;
+  }
+
 }