CRM-20441 Limit acceptable operators to IN only

diff --git a/api/v3/Activity.php b/api/v3/Activity.php
index 99df306c9708fbc9400d194de37e5ec734d41ef5..321ceeeae421cf4c4da5c8c006dee177e4e300b2 100644 (file)
--- a/api/v3/Activity.php
+++ b/api/v3/Activity.php
@@ -305,11 +305,17 @@ function civicrm_api3_activity_get($params) {
       );
     }
     $ids = array();
+    $allowed_operators = array(
+      'IN',
+    );
     if (is_array($params['id'])) {
       foreach ($params['id'] as $operator => $values) {
-        if (in_array($operator, CRM_Core_DAO::acceptedSQLOperators())) {
+        if (in_array($operator, CRM_Core_DAO::acceptedSQLOperators()) && in_array($operator, $allowed_operators)) {
           $ids = $values;
         }
+        else {
+          throw new \Civi\Api\Exception('Used an unsupported sql operator with Activity.get API');
+        }
       }
     }
     else {