* API Result Array
*/
function civicrm_api3_contact_create($params) {
-
$contactID = CRM_Utils_Array::value('contact_id', $params, CRM_Utils_Array::value('id', $params));
+
+ if ($contactID && !empty($params['check_permissions']) && !CRM_Contact_BAO_Contact_Permission::allow($contactID, CRM_Core_Permission::EDIT)) {
+ throw new \Civi\API\Exception\UnauthorizedException('Permission denied to modify contact record');
+ }
+
$dupeCheck = CRM_Utils_Array::value('dupe_check', $params, FALSE);
$values = _civicrm_api3_contact_check_params($params, $dupeCheck);
if ($values) {
* @param array $params
* input parameters per getfields
*
+ * @throws \Civi\API\Exception\UnauthorizedException
* @return array
* API Result Array
*/
function civicrm_api3_contact_delete($params) {
-
$contactID = CRM_Utils_Array::value('id', $params);
+ if (!empty($params['check_permissions']) && !CRM_Contact_BAO_Contact_Permission::allow($contactID, CRM_Core_Permission::DELETE)) {
+ throw new \Civi\API\Exception\UnauthorizedException('Permission denied to modify contact record');
+ }
+
$session = CRM_Core_Session::singleton();
if ($contactID == $session->get('userID')) {
return civicrm_api3_create_error('This contact record is linked to the currently logged in user account - and cannot be deleted.');
protected $_apiversion = 3;
public $DBResetRequired = FALSE;
protected $_entity;
+ protected $allowedContactId = 0;
public function setUp() {
parent::setUp();
* Function tests that a user with "edit my contact" can edit themselves.
*/
public function testContactEditHookWithEditMyContact() {
- $this->markTestIncomplete('api acls only work with contact get so far');
$cid = $this->createLoggedInUser();
$this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults'));
CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'edit my contact');
));
}
+ /**
+ * Ensure contact permissions extend to related entities like email
+ */
+ public function testRelatedEntityPermissions() {
+ $disallowedContact = $this->individualCreate(array(), 0);
+ $this->allowedContactId = $this->individualCreate(array(), 1);
+ $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlyOne'));
+ CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM');
+ $testEntities = array(
+ 'Email' => array('email' => 'null@nothing'),
+ 'Phone' => array('phone' => '123456'),
+ 'IM' => array('name' => 'hello'),
+ 'Website' => array('url' => 'http://test'),
+ 'Address' => array('street_address' => '123 Sesame St.'),
+ );
+ foreach ($testEntities as $entity => $params) {
+ $params += array(
+ 'contact_id' => $disallowedContact,
+ 'check_permissions' => 1,
+ );
+ // We should be prevented from getting or creating entities for a contact we don't have permission for
+ $this->callAPIFailure($entity, 'create', $params);
+ $results = $this->callAPISuccess($entity, 'get', array('contact_id' => $disallowedContact, 'check_permissions' => 1));
+ $this->assertEquals(0, $results['count']);
+
+ // We should be allowed to create and get for contacts we do have permission on
+ $params['contact_id'] = $this->allowedContactId;
+ $this->callAPISuccess($entity, 'create', $params);
+ $results = $this->callAPISuccess($entity, 'get', array('contact_id' => $this->allowedContactId, 'check_permissions' => 1));
+ $this->assertGreaterThan(0, $results['count']);
+ }
+ }
+
/**
* Function tests all results are returned.
*/
/**
* No results returned.
+ * @implements CRM_Utils_Hook::aclWhereClause
* @param $type
* @param $tables
* @param $whereTables
}
/**
- * Full results returned.
+ * All but first results returned.
* @implements CRM_Utils_Hook::aclWhereClause
* @param $type
* @param $tables
$where = " contact_a.id > 1";
}
+ /**
+ * Only specified contact returned.
+ * @implements CRM_Utils_Hook::aclWhereClause
+ * @param $type
+ * @param $tables
+ * @param $whereTables
+ * @param $contactID
+ * @param $where
+ */
+ public function aclWhereOnlyOne($type, &$tables, &$whereTables, &$contactID, &$where) {
+ $where = " contact_a.id = " . $this->allowedContactId;
+ }
+
}
projects / civicrm-core.git / commitdiff