projects / civicrm-core.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
webtest for CRM-16777
[civicrm-core.git] / Civi / API / Subscriber / PermissionCheck.php
diff --git a/Civi/API/Subscriber/PermissionCheck.php b/Civi/API/Subscriber/PermissionCheck.php
index 4ead4938f3d3122ba8f268b1a006fef1ad17709d..5801f88226ae1ac473ab98513c05a39c63c38327 100644 (file)
--- a/Civi/API/Subscriber/PermissionCheck.php
+++ b/Civi/API/Subscriber/PermissionCheck.php
@@ -1,9 +1,9 @@
 <?php
 /*
  +--------------------------------------------------------------------+
- | CiviCRM version 4.4                                                |
+ | CiviCRM version 4.6                                                |
  +--------------------------------------------------------------------+
- | Copyright CiviCRM LLC (c) 2004-2013                                |
+ | Copyright CiviCRM LLC (c) 2004-2015                                |
  +--------------------------------------------------------------------+
  | This file is a part of CiviCRM.                                    |
  |                                                                    |
@@ -23,15 +23,17 @@
  | GNU Affero General Public License or the licensing of CiviCRM,     |
  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  +--------------------------------------------------------------------+
-*/
+ */
 
 namespace Civi\API\Subscriber;
+
 use Civi\API\Events;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 
 /**
- * For any API requests that correspond to a Doctrine entity ($apiRequest['doctrineClass']), check
- * permissions specified in Civi\API\Annotation\Permission.
+ * For any API requests that correspond to a Doctrine entity
+ * ($apiRequest['doctrineClass']), check permissions specified in
+ * Civi\API\Annotation\Permission.
  */
 class PermissionCheck implements EventSubscriberInterface {
   /**
@@ -47,6 +49,7 @@ class PermissionCheck implements EventSubscriberInterface {
 
   /**
    * @param \Civi\API\Event\AuthorizeEvent $event
+   *   API authorization event.
    *
    * @throws \Civi\API\Exception\UnauthorizedException
    */
@@ -70,11 +73,12 @@ class PermissionCheck implements EventSubscriberInterface {
         return;
       }
 
-      if (!\CRM_Core_Permission::check($permissions)) {
+      if (!\CRM_Core_Permission::check($permissions) and !self::checkACLPermission($apiRequest)) {
         if (is_array($permissions)) {
           $permissions = implode(' and ', $permissions);
         }
-        // FIXME: Generating the exception ourselves allows for detailed error but doesn't play well with multiple authz subscribers.
+        // FIXME: Generating the exception ourselves allows for detailed error
+        // but doesn't play well with multiple authz subscribers.
         throw new \Civi\API\Exception\UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions");
       }
 
@@ -82,4 +86,29 @@ class PermissionCheck implements EventSubscriberInterface {
       $event->stopPropagation();
     }
   }
+
+  /**
+   * Check API for ACL permission.
+   *
+   * @param array $apiRequest
+   *
+   * @return bool
+   */
+  public function checkACLPermission($apiRequest) {
+    switch ($apiRequest['entity']) {
+      case 'UFGroup':
+      case 'UFField':
+        $ufGroups = \CRM_Core_PseudoConstant::get('CRM_Core_DAO_UFField', 'uf_group_id');
+        $aclCreate = \CRM_ACL_API::group(\CRM_Core_Permission::CREATE, NULL, 'civicrm_uf_group', $ufGroups);
+        $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_uf_group', $ufGroups);
+        $ufGroupId = $apiRequest['entity'] == 'UFGroup' ? $apiRequest['params']['id'] : $apiRequest['params']['uf_group_id'];
+        if (in_array($ufGroupId, $aclEdit) or $aclCreate) {
+          return TRUE;
+        }
+        break;
+    }
+
+    return FALSE;
+  }
+
 }