CRM-17645 - Support either 'access my' or 'access all' cases in api permissions

diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php
index 3c81f7d83bbfe2954cd6578eb921c5e14e013e6b..e9a9ffca857a97c8c6465ffa51a2f69713b8abdd 100644 (file)
--- a/CRM/Core/DAO/permissions.php
+++ b/CRM/Core/DAO/permissions.php
@@ -27,7 +27,6 @@
 
 /**
  * Decide what permissions to check for an api call
- * The contact must have all of the returned permissions for the api call to be allowed
  *
  * @param $entity : (str) api entity
  * @param $action : (str) api action
@@ -54,6 +53,9 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
    *  * default: catch-all for anything not declared
    *
    *  Note: some APIs declare other actions as well
+   *
+   * Permissions should use arrays for AND and arrays of arrays for OR
+   * @see CRM_Core_Permission::check for more documentation
    */
   $permissions = array();
 
@@ -177,15 +179,18 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
       'delete in CiviCase',
     ),
     'default' => array(
-      // This is the minimum permission needed. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
-      'access my cases and activities',
+      // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause
+      array('access my cases and activities', 'access all cases and activities'),
     ),
   );
   $permissions['case_contact'] = $permissions['case'];
 
   $permissions['case_type'] = array(
     'default' => array('administer CiviCase'),
-    'get' => array('access my cases and activities'),
+    'get' => array(
+      // nested array = OR
+      array('access my cases and activities', 'access all cases and activities'),
+    ),
   );
 
   // Campaign permissions