* Ideally the forms would override this so only the cid in the url
* would be checked in the shared form function.
*
- * @return int
+ * @return int|null
* @throws \CRM_Core_Exception
*/
public function getRequestedContactID(): ?int {
*/
protected function getAuthenticatedCheckSumContactID(): int {
$requestedContactID = $this->getRequestedContactID();
+ return $this->validateAuthenticatedCheckSumContactID($requestedContactID);
+ }
+
+ /**
+ * Verify that a contact ID is authenticated as a valid contact by checksum
+ *
+ * @param int|null $contactID
+ *
+ * @return int
+ * @throws \CRM_Core_Exception
+ */
+ protected function validateAuthenticatedCheckSumContactID(?int $contactID): int {
$userChecksum = CRM_Utils_Request::retrieve('cs', 'String', $this);
if ($userChecksum && CRM_Contact_BAO_Contact_Utils::validChecksum($requestedContactID, $userChecksum)) {
return $requestedContactID;
$this->_event_id = $this->_part_values['event_id'];
$url = CRM_Utils_System::url('civicrm/event/info', "reset=1&id={$this->_event_id}");
$this->define('Contact', 'ContactFrom', ['id' => (int) $this->_part_values['participant_contact_id']]);
- if (!$this->getAuthenticatedCheckSumContactID() && !CRM_Core_Permission::check('edit all events')) {
+ if (!$this->validateAuthenticatedCheckSumContactID($this->getDefinition('ContactFrom')['id']) && !CRM_Core_Permission::check('edit all events')) {
CRM_Core_Error::statusBounce(ts('You do not have sufficient permission to transfer/cancel this participant.'), $url);
}
$this->assign('action', $this->_action);
projects / civicrm-core.git / commitdiff