CRM-13644 - ACL does not protect group listing (in civiMail and other places)

diff --git a/CRM/ACL/API.php b/CRM/ACL/API.php
index f3681b3fa8702eb91c056b0150f1f95fd82cb7d1..675beb80de3fa91c5d0b105446936a7c269e4fb8 100644 (file)
--- a/CRM/ACL/API.php
+++ b/CRM/ACL/API.php
@@ -227,6 +227,9 @@ class CRM_ACL_API {
       $groups = self::group($type, $contactID, $tableName, $allGroups, $includedGroups);
       $cache[$key] = $groups;
     }
+    if (empty($groups)) {
+      return FALSE;
+    }
 
     return in_array($groupID, $groups) ? TRUE : FALSE;
   }

diff --git a/api/v3/Group.php b/api/v3/Group.php
index a5d7cfeb231af4c72448fba2800e3003cbc7f6da..37b9567c1eb0556f7b02ce07971a795b67dde321 100644 (file)
--- a/api/v3/Group.php
+++ b/api/v3/Group.php
@@ -71,14 +71,17 @@ function _civicrm_api3_group_create_spec(&$params) {
  */
 function civicrm_api3_group_get($params) {
   $options = _civicrm_api3_get_options_from_params($params, TRUE, 'Group', 'get');
-  if (empty($options['return']) || !in_array('member_count', $options['return'])) {
-    return _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params, TRUE, 'Group');
-  }
-
   $groups = _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params, FALSE, 'Group');
   foreach ($groups as $id => $group) {
-    $groups[$id]['member_count'] = CRM_Contact_BAO_Group::memberCount($id);
+    $permission = CRM_Contact_BAO_Group::checkPermission($group['id']);
+    if (!$permission) {
+      unset($groups[$id]);
+    }
+    else if (!empty($options['return']) && in_array('member_count', $options['return'])) {
+      $groups[$id]['member_count'] = CRM_Contact_BAO_Group::memberCount($id);
+    }
   }
+  $groups = array_values($groups);
   return civicrm_api3_create_success($groups, $params, 'Group', 'get');
 }