}
/**
- * takes an associative array and creates a case object
+ * Is CiviCase enabled?
+ *
+ * @return bool
+ */
+ static function enabled() {
+ $config = CRM_Core_Config::singleton();
+ return in_array('CiviCase', $config->enableComponents);
+ }
+
+ /**
+ * Takes an associative array and creates a case object
*
* the function extract all the params it needs to initialize the create a
* case object. the params array could contain additional unused name/value
}
//do check for civicase component enabled.
- if ($checkComponent) {
- static $componentEnabled;
- if (!isset($componentEnabled)) {
- $config = CRM_Core_Config::singleton();
- $componentEnabled = FALSE;
- if (in_array('CiviCase', $config->enableComponents)) {
- $componentEnabled = TRUE;
- }
- }
- if (!$componentEnabled) {
- return $allow;
- }
+ if ($checkComponent && !self::enabled()) {
+ return $allow;
}
//do check for cases.
* or 'access all cases and activities'
*/
static function accessCiviCase() {
- static $componentEnabled;
- if (!isset($componentEnabled)) {
- $componentEnabled = FALSE;
- $config = CRM_Core_Config::singleton();
- if (in_array('CiviCase', $config->enableComponents)) {
- $componentEnabled = TRUE;
- }
- }
- if (!$componentEnabled) {
+ if (!self::enabled()) {
return FALSE;
}
}
/**
- * Function to check whether activity is a case Activity
+ * Verify user has permission to access a case
+ *
+ * @param int $caseId
+ *
+ * @return bool
+ */
+ static function accessCase($caseId) {
+ if (!$caseId || !self::enabled()) {
+ return FALSE;
+ }
+
+ // This permission always has access
+ if (CRM_Core_Permission::check('access all cases and activities')) {
+ return TRUE;
+ }
+
+ // This permission is required at minimum
+ if (!CRM_Core_Permission::check('access my cases and activities')) {
+ return FALSE;
+ }
+
+ $filterCases = CRM_Case_BAO_Case::getCases(FALSE);
+
+ return isset($filterCases[$caseId]);
+ }
+
+ /**
+ * Check whether activity is a case Activity
*
* @param int $activityID activity id
*
function processCaseTags() {
- $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Integer');
+ $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Positive');
$tags = CRM_Utils_Type::escape($_POST['tag'], 'String');
$tagList = $_POST['taglist'];
- if (empty($caseId)) {
- echo 'false';
- CRM_Utils_System::civiExit();
+ if (!CRM_Case_BAO_Case::accessCase($caseId)) {
+ CRM_Utils_System::permissionDenied();
}
$tagIds = array();
}
function caseDetails() {
- $caseId = CRM_Utils_Type::escape($_GET['caseId'], 'Integer');
+ $caseId = CRM_Utils_Type::escape($_GET['caseId'], 'Positive');
+
+ if (!CRM_Case_BAO_Case::accessCase($caseId)) {
+ CRM_Utils_System::permissionDenied();
+ }
+
$sql = "SELECT civicrm_case.*, civicrm_case_type.title as case_type
FROM civicrm_case
INNER JOIN civicrm_case_type ON civicrm_case.case_type_id = civicrm_case_type.id
}
function addClient() {
- $caseId = CRM_Utils_Type::escape($_POST['caseID'], 'Integer');
- $contactId = CRM_Utils_Type::escape($_POST['contactID'], 'Integer');
+ $caseId = CRM_Utils_Type::escape($_POST['caseID'], 'Positive');
+ $contactId = CRM_Utils_Type::escape($_POST['contactID'], 'Positive');
+
+ if (!$contactId || !CRM_Case_BAO_Case::accessCase($caseId)) {
+ CRM_Utils_System::permissionDenied();
+ }
$params = array(
'case_id' => $caseId,
* Function to delete relationships specific to case and relationship type
*/
static function deleteCaseRoles() {
- $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Integer');
- $relType = CRM_Utils_Type::escape($_POST['rel_type'], 'Integer');
+ $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Positive');
+ $relType = CRM_Utils_Type::escape($_POST['rel_type'], 'Positive');
+
+ if (!$relType || !CRM_Case_BAO_Case::accessCase($caseId)) {
+ CRM_Utils_System::permissionDenied();
+ }
$sql = "DELETE FROM civicrm_relationship WHERE case_id={$caseId} AND relationship_type_id={$relType}";
CRM_Core_DAO::executeQuery($sql);
projects / civicrm-core.git / commitdiff