}
/**
- * Given an array of entity ids and entity table, add all the entity to the tags
+ * Given an array of entity ids and entity table, add all the entity to the tags.
*
* @param array $entityIds
* (reference ) the array of entity ids to be added.
$entityIdsAdded = array();
foreach ($entityIds as $entityId) {
+ // CRM-17350 - check if we have permission to edit the contact
+ // that this tag belongs to.
+ if (!CRM_Contact_BAO_Contact_Permission::allow($entityId, CRM_Core_Permission::EDIT)) {
+ $numEntitiesNotAdded++;
+ continue;
+ }
$tag = new CRM_Core_DAO_EntityTag();
$tag->entity_id = $entityId;
$entityIdsRemoved = array();
foreach ($entityIds as $entityId) {
+ // CRM-17350 - check if we have permission to edit the contact
+ // that this tag belongs to.
+ if (!CRM_Contact_BAO_Contact_Permission::allow($entityId, CRM_Core_Permission::EDIT)) {
+ $numEntitiesNotAdded++;
+ continue;
+ }
$tag = new CRM_Core_DAO_EntityTag();
$tag->entity_id = $entityId;
// @todo - ditto
$permissions['note'] = $permissions['entity_tag'];
+ // CRM-17350 - entity_tag ACL permissions are checked at the BAO level
+ $permissions['entity_tag'] = array(
+ 'get' => array(
+ 'access CiviCRM',
+ 'view all contacts',
+ ),
+ 'default' => array(
+ 'access CiviCRM',
+ ),
+ );
+
// Allow non-admins to get and create tags to support tagset widget
// Delete is still reserved for admins
$permissions['tag'] = array(
projects / civicrm-core.git / commitdiff