projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2f0649a)
CRM-13889 - api_v3_DashboardContact - Fix validation
authorTim Otten <totten@civicrm.org>
Tue, 4 Feb 2014 23:02:51 +0000 (15:02 -0800)
committerTim Otten <totten@civicrm.org>
Tue, 4 Feb 2014 23:02:51 +0000 (15:02 -0800)
The validation of dashboard_id implicitly involved a permission-check. This
permission-check would be wrong in some cases (eg running a drush script
without any particular user), but it could be right in other cases (eg
issuing an AJAX call).

CRM/Core/BAO/Dashboard.php patch | blob | blame | history
api/v3/DashboardContact.php patch | blob | blame | history

diff --git a/CRM/Core/BAO/Dashboard.php b/CRM/Core/BAO/Dashboard.php
index 0f5dcca112633bc5aaba5e6e3e5ee6e565d478ce..37c3596ef4121155711b07ba8f47f1495281d61c 100644 (file)
--- a/CRM/Core/BAO/Dashboard.php
+++ b/CRM/Core/BAO/Dashboard.php
@@ -42,12 +42,13 @@ class CRM_Core_BAO_Dashboard extends CRM_Core_DAO_Dashboard {
    * Get the list of dashlets enabled by admin
    *
    * @param boolean $all all or only active
+   * @param boolean $checkPermission all or only authorized for the current user
    *
    * @return array $widgets  array of dashlets
    * @access public
    * @static
    */
-  static function getDashlets($all = TRUE) {
+  static function getDashlets($all = TRUE, $checkPermission = TRUE) {
     $dashlets = array();
     $dao = new CRM_Core_DAO_Dashboard();
 
@@ -59,7 +60,7 @@ class CRM_Core_BAO_Dashboard extends CRM_Core_DAO_Dashboard {
 
     $dao->find();
     while ($dao->fetch()) {
-      if (!self::checkPermission($dao->permission, $dao->permission_operator)) {
+      if ($checkPermission && !self::checkPermission($dao->permission, $dao->permission_operator)) {
         continue;
       }
 
diff --git a/api/v3/DashboardContact.php b/api/v3/DashboardContact.php
index f7f7ba6c1dfdabbf03973484cc28f32d8e67fe50..2784bd42a5856921c182d83e847159dfde2f5b5c 100644 (file)
--- a/api/v3/DashboardContact.php
+++ b/api/v3/DashboardContact.php
@@ -86,9 +86,9 @@ function _civicrm_api3_dashboard_contact_create_spec(&$params) {
 function _civicrm_api3_dashboard_contact_check_params(&$params) {
   $dashboard_id = CRM_Utils_Array::value('dashboard_id', $params);
   if ($dashboard_id) {
-    $allDashlets = CRM_Core_BAO_Dashboard::getDashlets();
+    $allDashlets = CRM_Core_BAO_Dashboard::getDashlets(TRUE, CRM_Utils_Array::value('check_permissions', $params, 0));
     if (!isset($allDashlets[$dashboard_id])) {
-      return civicrm_api3_create_error('Invalid Dashboard ID');
+      return civicrm_api3_create_error('Invalid or inaccessible dashboard ID');
     }
   }
   return NULL;