*/
protected function getSubscriptionContactID() {
$sub = $this->getSubscriptionDetails();
- return $sub->contact_id ?? FALSE;
+ return $sub->contact_id ? (int) $sub->contact_id : FALSE;
}
/**
* Is this being used by a front end user to update their own recurring.
*
* @return bool
+ * @throws \CRM_Core_Exception
*/
protected function isSelfService() {
- if (!is_null($this->selfService)) {
+ if ($this->selfService !== NULL) {
return $this->selfService;
}
$this->selfService = FALSE;
if (!CRM_Core_Permission::check('edit contributions')) {
- if ($this->_subscriptionDetails->contact_id != $this->getContactID()) {
+ if ($this->getSubscriptionContactID() !== $this->getContactIDIfAccessingOwnRecord()) {
CRM_Core_Error::statusBounce(ts('You do not have permission to cancel this recurring contribution.'));
}
$this->selfService = TRUE;
];
}
- if (!$paymentProcessorObj->supports('ChangeSubscriptionAmount') && !$paymentProcessorObj->supports('EditRecurringContribution')) {
+ if (
+ (!CRM_Core_Permission::check('edit contributions') && $context === 'contribution') ||
+ (!$paymentProcessorObj->supports('ChangeSubscriptionAmount')
+ && !$paymentProcessorObj->supports('EditRecurringContribution')
+ )) {
unset($links[CRM_Core_Action::UPDATE]);
}
}
/**
* Get the contact id of the logged in user.
+ *
+ * @return int|false
*/
public function getLoggedInUserContactID() {
// check if the user is logged in and has a contact ID
$session = CRM_Core_Session::singleton();
- return $session->get('userID');
+ return $session->get('userID') ? (int) $session->get('userID') : FALSE;
}
/**
* - id_field
* - url (for ajax lookup)
*
+ * @throws \CRM_Core_Exception
* @todo add data attributes so we can deal with multiple instances on a form
*/
public function addAutoSelector($profiles = [], $autoCompleteField = []) {
}
}
+ /**
+ * Get the contact if from the url, using the checksum or the cid if it is the logged in user.
+ *
+ * This function returns the user being validated. It is not intended to get another user
+ * they have permission to (setContactID does do that) and can be used to check if the user is
+ * accessing their own record.
+ *
+ * @return int|false
+ * @throws \CRM_Core_Exception
+ */
+ protected function getContactIDIfAccessingOwnRecord() {
+ $contactID = (int) CRM_Utils_Request::retrieve('cid', 'Positive', $this);
+ if (!$contactID) {
+ return FALSE;
+ }
+ if ($contactID === $this->getLoggedInUserContactID()) {
+ return $contactID;
+ }
+ $userChecksum = CRM_Utils_Request::retrieve('cs', 'String', $this);
+ return CRM_Contact_BAO_Contact_Utils::validChecksum($contactID, $userChecksum) ? $contactID : FALSE;
+ }
+
}
projects / civicrm-core.git / commitdiff