projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7480322)
CRM-17795 - Refine api permissions
authorColeman Watts <coleman@civicrm.org>
Fri, 8 Jan 2016 22:29:46 +0000 (17:29 -0500)
committerColeman Watts <coleman@civicrm.org>
Sat, 9 Jan 2016 02:05:08 +0000 (21:05 -0500)
Improves permissions for relationship, address, email, phone, website, im, loc_block

CRM/Contact/BAO/Relationship.php patch | blob | blame | history
CRM/Core/DAO/permissions.php patch | blob | blame | history

diff --git a/CRM/Contact/BAO/Relationship.php b/CRM/Contact/BAO/Relationship.php
index 8f4c19f3789ce71b4528f41aea682651d759a3f5..9b2319031a90e9e7d29acae16adc82571fbc7db7 100644 (file)
--- a/CRM/Contact/BAO/Relationship.php
+++ b/CRM/Contact/BAO/Relationship.php
@@ -2101,4 +2101,19 @@ AND cc.sort_name LIKE '%$name%'";
     return $relationshipsDT;
   }
 
+  /**
+   * @inheritDoc
+   */
+  public function apiWhereClause($tableAlias) {
+    // Generate an acl clause for both contacts in the relationship
+    $clauses = array();
+    foreach (array('a', 'b') as $a) {
+      $clause = CRM_Contact_BAO_Contact_Permission::cacheSubquery("`$tableAlias`.contact_id_$a");
+      if ($clause !== NULL) {
+        $clauses[] = $clause;
+      }
+    }
+    return $clauses ? implode(' AND ', $clauses) : NULL;
+  }
+
 }
diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php
index 96597a79351b0d2c9261761bdd9d10375025fed2..8663778a5e4588e70f4f7d5075671f7434737b02 100644 (file)
--- a/CRM/Core/DAO/permissions.php
+++ b/CRM/Core/DAO/permissions.php
@@ -108,10 +108,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
   // Contact-related data permissions.
   // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
   $permissions['address'] = array(
-    'get' => array(
-      'access CiviCRM',
-      'view all contacts',
-    ),
+    // get is managed by BAO::apiWhereClause
+    'get' => array(),
     'default' => array(
       'access CiviCRM',
       'edit all contacts',
@@ -121,9 +119,10 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
   $permissions['phone'] = $permissions['address'];
   $permissions['website'] = $permissions['address'];
   $permissions['im'] = $permissions['address'];
-  $permissions['loc_block'] = $permissions['address'];
-  $permissions['entity_tag'] = $permissions['address'];
-  $permissions['note'] = $permissions['address'];
+  // @todo - implement CRM_Core_BAO_EntityTag::apiWhereClause and remove this heavy-handed restriction
+  $permissions['entity_tag'] = array('get' => array('access CiviCRM', 'view all contacts')) + $permissions['address'];
+  // @todo - ditto
+  $permissions['note'] = $permissions['entity_tag'];
 
   // Allow non-admins to get and create tags to support tagset widget
   // Delete is still reserved for admins
@@ -135,10 +134,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
 
   //relationship permissions
   $permissions['relationship'] = array(
-    'get' => array(
-      'access CiviCRM',
-      'view all contacts',
-    ),
+    // get is managed by BAO::apiWhereClause
+    'get' => array(),
     'delete' => array(
       'access CiviCRM',
       'edit all contacts',
@@ -250,6 +247,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
       'edit all events',
     ),
   );
+  // Loc block is only used for events
+  $permissions['loc_block'] = $permissions['event'];
 
   // File permissions
   $permissions['file'] = array(