Before
------
* `Queue.get` requires permission `administer queues`
* `UserJob.*` requires permission `access CiviCRM`, but it only
returns records if where the `created_id` matches current-user
After
-----
* `Queue.get` and `UserJob.*` follow similar rules
* Users with permission `administer queues` can view all
* Users with permission `access CiviCRM` can view items where `created_id` matches current-user
* @inheritDoc
*/
public function addSelectWhereClause(): array {
- $clauses['created_id'] = '= ' . (int) CRM_Core_Session::getLoggedInContactID();
+ $clauses = [];
+ if (!\CRM_Core_Permission::check('administer queues')) {
+ $clauses['created_id'] = '= ' . (int) CRM_Core_Session::getLoggedInContactID();
+ }
+ CRM_Utils_Hook::selectWhereClause($this, $clauses);
return $clauses;
}
*/
class CRM_Queue_BAO_Queue extends CRM_Queue_DAO_Queue implements \Civi\Core\HookInterface {
+ public function addSelectWhereClause(): array {
+ $clauses = [];
+ if (!\CRM_Core_Permission::check('administer queues')) {
+ $cid = (int) CRM_Core_Session::getLoggedInContactID();
+ $clauses['id'] = "IN (SELECT queue_id FROM `civicrm_user_job` WHERE created_id = $cid)";
+ }
+ CRM_Utils_Hook::selectWhereClause($this, $clauses);
+ return $clauses;
+ }
+
/**
* Get a list of valid statuses.
*
return [
'meta' => ['access CiviCRM'],
'default' => ['administer queues'],
+ 'get' => ['access CiviCRM'],
'runItem' => [\CRM_Core_Permission::ALWAYS_DENY_PERMISSION],
];
}
projects / civicrm-core.git / commitdiff