Add unit test to cover granting everyone' group permission to access a group

diff --git a/api/v3/Acl.php b/api/v3/Acl.php
index b7a81d4cacdad2eb6f52238b527824fafe0dcb8c..ab252c694b084098525d8ac1c752a83c6e3f10f3 100644 (file)
--- a/api/v3/Acl.php
+++ b/api/v3/Acl.php
@@ -43,6 +43,16 @@ function civicrm_api3_acl_create($params) {
   return _civicrm_api3_basic_create(_civicrm_api3_get_BAO(__FUNCTION__), $params, 'Acl');
 }
 
+/**
+ * Acl create metadata.
+ *
+ * @param array $params
+ */
+function _civicrm_api3_acl_create_spec(&$params) {
+  $params['is_active']['api.default'] = 1;
+  $params['entity_table']['api.default'] = 'civicrm_acl_role';
+}
+
 /**
  * Get an Acl.
  *

diff --git a/api/v3/AclRole.php b/api/v3/AclRole.php
index 3084962c66d26ffdc81e632a4e3974e85c67ad63..5522845e21fa11637dcae0dff554f674d80864b3 100644 (file)
--- a/api/v3/AclRole.php
+++ b/api/v3/AclRole.php
@@ -43,6 +43,16 @@ function civicrm_api3_acl_role_create($params) {
   return _civicrm_api3_basic_create(_civicrm_api3_get_BAO(__FUNCTION__), $params, 'EntityRole');
 }
 
+
+/**
+ * AclRole create metadata.
+ *
+ * @param array $params
+ */
+function _civicrm_api3_acl_role_create_spec(&$params) {
+  $params['is_active']['api.default'] = 1;
+}
+
 /**
  * Get an AclRole.
  *

diff --git a/tests/phpunit/CRMTraits/ACL/PermissionTrait.php b/tests/phpunit/CRMTraits/ACL/PermissionTrait.php
index 6d19f07789094625bfe053c74d74cc862637bf1f..4b37e4e22928bddedce06f077b857a91f566139a 100644 (file)
--- a/tests/phpunit/CRMTraits/ACL/PermissionTrait.php
+++ b/tests/phpunit/CRMTraits/ACL/PermissionTrait.php
@@ -35,6 +35,13 @@ trait CRMTraits_ACL_PermissionTrait {
   protected $allowedContactId = 0;
   protected $allowedContacts = [];
 
+  /**
+   * Ids created for the scenario in use.
+   *
+   * @var array
+   */
+  protected $scenarioIDs = [];
+
   /**
    * All results returned.
    *
@@ -94,4 +101,59 @@ trait CRMTraits_ACL_PermissionTrait {
     $where = " contact_a.id = " . $this->allowedContactId;
   }
 
+  /**
+   * Set up a core ACL.
+   *
+   * It is recommended that this helper function is accessed through a scenario function.
+   *
+   * @param array $permissionedEntities Array of groups for whom ACLs enable access.
+   * @param string|int $groupAllowedAccess Group permitted to access the permissioned Group
+   *   An ID of 0 means that 'Everyone' can access the group.
+   * @param string $operation View|Edit|Create|Delete|Search|All
+   * @param string $entity Group|CustomGroup|Profile|Event
+   *
+   * @throws CRM_Core_Exception
+   */
+  public function setupCoreACLPermittedToGroup($permissionedEntities = [], $groupAllowedAccess = 'Everyone', $operation = 'View', $entity = 'Group') {
+    $tableMap = ['Group' => 'civicrm_saved_search', 'CustomGroup' => 'civicrm_custom_group', 'Profile' => 'civicrm_uf_match', 'Event' => 'civicrm_event'];
+    $entityTable = $tableMap[$entity];
+
+    $permittedRoleID = ($groupAllowedAccess === 'Everyone') ? 0 : $groupAllowedAccess;
+    if ($permittedRoleID !== 0) {
+      throw new CRM_Core_Exception('only handling everyone group as yet');
+    }
+
+    foreach ($permissionedEntities as $permissionedEntityID) {
+      $this->callAPISuccess('Acl', 'create', [
+        'name' => uniqid(),
+        'operation' => $operation,
+        'entity_id' => $permittedRoleID,
+        'object_id' => $permissionedEntityID,
+        'object_table' => $entityTable,
+      ]);
+    }
+  }
+
+  /**
+   * Set up a scenario where everyone can access the permissioned group.
+   *
+   * A scenario in this class involves multiple defined assets. In this case we create
+   * - a group to which the everyone has permission
+   * - a contact in the group
+   * - a contact not in the group
+   *
+   * These are arrayed as follows
+   *   $this->scenarioIDs['Contact'] = ['permitted_contact' => x, 'non_permitted_contact' => y]
+   *   $this->scenarioIDs['Group'] = ['permitted_group' => x]
+   */
+  public function setupScenarioCoreACLEveryonePermittedToGroup() {
+    $this->quickCleanup(['civicrm_acl_cache', 'civicrm_acl_contact_cache']);
+    $this->scenarioIDs['Group']['permitted_group'] = $this->groupCreate();
+    $this->scenarioIDs['Contact']['permitted_contact'] = $this->individualCreate();
+    $result = $this->callAPISuccess('GroupContact', 'create', ['group_id' => $this->scenarioIDs['Group']['permitted_group'], 'contact_id' => $this->scenarioIDs['Contact']['permitted_contact'], 'status' => 'Added']);
+    $this->scenarioIDs['Contact']['non_permitted_contact'] = $this->individualCreate();
+    CRM_Core_Config::singleton()->userPermissionClass->permissions = [];
+    $this->setupCoreACLPermittedToGroup([$this->scenarioIDs['Group']['permitted_group']]);
+  }
+
 }

diff --git a/tests/phpunit/api/v3/ACLPermissionTest.php b/tests/phpunit/api/v3/ACLPermissionTest.php
index 63a36a54111cd637a3fb19d9e95274ce8351f067..3501d4d2f15c16ef0110b75ca73100d9846ef9ed 100644 (file)
--- a/tests/phpunit/api/v3/ACLPermissionTest.php
+++ b/tests/phpunit/api/v3/ACLPermissionTest.php
@@ -664,4 +664,15 @@ class api_v3_ACLPermissionTest extends CiviUnitTestCase {
     return $contacts;
   }
 
+  /**
+   * Test that the 'everyone' group can be given access to a contact.
+   */
+  public function testGetACLEveryonePermittedEntity() {
+    $this->setupScenarioCoreACLEveryonePermittedToGroup();
+    $this->callAPISuccess('Contact', 'getsingle', [
+      'id' => $this->scenarioIDs['Contact']['permitted_contact'],
+      'check_permissions' => 1,
+    ]);
+  }
+
 }