Implement checkAccess for EntityTags and Notes

author Coleman Watts <coleman@civicrm.org>

Sat, 8 May 2021 00:20:43 +0000 (20:20 -0400)

committer Tim Otten <totten@civicrm.org>

Mon, 7 Jun 2021 03:18:52 +0000 (20:18 -0700)
author Coleman Watts <coleman@civicrm.org>
Sat, 8 May 2021 00:20:43 +0000 (20:20 -0400)
committer Tim Otten <totten@civicrm.org>
Mon, 7 Jun 2021 03:18:52 +0000 (20:18 -0700)
diff --git a/CRM/Contact/AccessTrait.php b/CRM/Contact/AccessTrait.php

index d3a5e396618fa75d08a02047655b609e5e4356f9..466198a3a79eae68be77215cd5014d16ff87dfea 100644 (file)
--- a/CRM/Contact/AccessTrait.php
+++ b/CRM/Contact/AccessTrait.php
@@ -37,7 +37,7 @@ trait CRM_Contact_AccessTrait {
        return in_array(__CLASS__, ['CRM_Core_BAO_Phone', 'CRM_Core_BAO_Email', 'CRM_Core_BAO_Address']) &&
          CRM_Core_Permission::check('edit all events', $userID);
      }
-    return CRM_Contact_BAO_Contact::checkAccess($action, ['id' => $cid], $userID);
+    return CRM_Contact_BAO_Contact::checkAccess(CRM_Core_Permission::EDIT, ['id' => $cid], $userID);
    }
  
  }
diff --git a/CRM/Core/BAO/EntityTag.php b/CRM/Core/BAO/EntityTag.php

index cbd60e2cd62e3727be48c55b2b07ad7409417d85..35950c5cf16f6472922bb6ccf3a7ba8ea9da9b27 100644 (file)
--- a/CRM/Core/BAO/EntityTag.php
+++ b/CRM/Core/BAO/EntityTag.php
@@ -16,6 +16,7 @@
   * @copyright CiviCRM LLC https://civicrm.org/licensing
   */
  class CRM_Core_BAO_EntityTag extends CRM_Core_DAO_EntityTag {
+  use CRM_Core_DynamicFKAccessTrait;
  
    /**
     * Given a contact id, it returns an array of tag id's the contact belongs to.
diff --git a/CRM/Core/BAO/Note.php b/CRM/Core/BAO/Note.php

index d63d8dea2713e2a0759144242f9cf91d4db812fd..a08dbacf4faad35694c58b854e2497b488616bae 100644 (file)
--- a/CRM/Core/BAO/Note.php
+++ b/CRM/Core/BAO/Note.php
@@ -19,6 +19,7 @@
   * BAO object for crm_note table.
   */
  class CRM_Core_BAO_Note extends CRM_Core_DAO_Note {
+  use CRM_Core_DynamicFKAccessTrait;
  
    /**
     * Const the max number of notes we display at any given time.
diff --git a/CRM/Core/DynamicFKAccessTrait.php b/CRM/Core/DynamicFKAccessTrait.php

new file mode 100644 (file)

index 0000000..1fe7baa
--- /dev/null
+++ b/CRM/Core/DynamicFKAccessTrait.php
@@ -0,0 +1,46 @@
+<?php
+/*
+ +--------------------------------------------------------------------+
+ | Copyright CiviCRM LLC. All rights reserved.                        |
+ |                                                                    |
+ | This work is published under the GNU AGPLv3 license with some      |
+ | permitted exceptions and without any warranty. For full license    |
+ | and copyright information, see https://civicrm.org/licensing       |
+ +--------------------------------------------------------------------+
+ */
+
+/**
+ *
+ * @package CRM
+ * @copyright CiviCRM LLC https://civicrm.org/licensing
+ */
+
+/**
+ * Trait for with entities with an entity_table + entity_id dynamic FK.
+ */
+trait CRM_Core_DynamicFKAccessTrait {
+
+  /**
+   * @param string $action
+   * @param array $record
+   * @param int|NULL $userID
+   * @return bool
+   * @see CRM_Core_DAO::checkAccess
+   */
+  public static function _checkAccess(string $action, array $record, $userID): bool {
+    $eid = $record['entity_id'] ?? NULL;
+    $table = $record['entity_table'] ?? NULL;
+    if (!$eid && !empty($record['id'])) {
+      $eid = CRM_Core_DAO::getFieldValue(__CLASS__, $record['id'], 'entity_id');
+    }
+    if ($eid && !$table && !empty($record['id'])) {
+      $table = CRM_Core_DAO::getFieldValue(__CLASS__, $record['id'], 'entity_table');
+    }
+    if ($eid && $table) {
+      $bao = CRM_Core_DAO_AllCoreTables::getBAOClassName(CRM_Core_DAO_AllCoreTables::getClassForTable($table));
+      return $bao::checkAccess(CRM_Core_Permission::EDIT, ['id' => $eid], $userID);
+    }
+    return TRUE;
+  }
+
+}
diff --git a/tests/phpunit/api/v3/ACLPermissionTest.php b/tests/phpunit/api/v3/ACLPermissionTest.php

index 8641e253b25080f2ccf0b5606215e2c1d8bd844c..35ef4147be834280453ee056b331a1866c508ca6 100644 (file)
--- a/tests/phpunit/api/v3/ACLPermissionTest.php
+++ b/tests/phpunit/api/v3/ACLPermissionTest.php
@@ -228,9 +228,6 @@ class api_v3_ACLPermissionTest extends CiviUnitTestCase {
        ]);
        $this->assertGreaterThan(0, $results['count']);
      }
-    if ($version == 4) {
-      $this->markTestIncomplete('Skipping entity_id related perms in api4 for now.');
-    }
      $newTag = civicrm_api3('Tag', 'create', [
        'name' => 'Foo123',
      ]);
author	Coleman Watts <coleman@civicrm.org>
	Sat, 8 May 2021 00:20:43 +0000 (20:20 -0400)
committer	Tim Otten <totten@civicrm.org>
	Mon, 7 Jun 2021 03:18:52 +0000 (20:18 -0700)
CRM/Contact/AccessTrait.php		patch \| blob \| blame \| history
CRM/Core/BAO/EntityTag.php		patch \| blob \| blame \| history
CRM/Core/BAO/Note.php		patch \| blob \| blame \| history
CRM/Core/DynamicFKAccessTrait.php	[new file with mode: 0644]	patch \| blob
tests/phpunit/api/v3/ACLPermissionTest.php		patch \| blob \| blame \| history