CRM-15980 Test for API does not permit PHP to permanently delete a contact (#9210)

* CRM-15980 Test for API does not permit PHP to permanently delete a contact

* CRM-15980 fix API does not permit PHP to permanently delete a contact

Change-Id: I4bc50fedf31de60312f3ab1ad0f216fb85962bca

diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php
index a38a8272ef7212953736fde5815db3f88cb5cf3d..b90ccd47d3c411e1c0f774e7e66e4c32b9dc66c5 100644 (file)
--- a/CRM/Contact/BAO/Contact.php
+++ b/CRM/Contact/BAO/Contact.php
@@ -789,7 +789,7 @@ WHERE     civicrm_contact.id = " . CRM_Utils_Type::escape($id, 'Integer');
    * @return bool
    *   Was contact deleted?
    */
-  public static function deleteContact($id, $restore = FALSE, $skipUndelete = FALSE) {
+  public static function deleteContact($id, $restore = FALSE, $skipUndelete = FALSE, $checkPermissions = TRUE) {
 
     if (!$id) {
       return FALSE;
@@ -801,8 +801,8 @@ WHERE     civicrm_contact.id = " . CRM_Utils_Type::escape($id, 'Integer');
 
     // make sure we have edit permission for this contact
     // before we delete
-    if (($skipUndelete && !CRM_Core_Permission::check('delete contacts')) ||
-      ($restore && !CRM_Core_Permission::check('access deleted contacts'))
+    if ($checkPermissions && (($skipUndelete && !CRM_Core_Permission::check('delete contacts')) ||
+      ($restore && !CRM_Core_Permission::check('access deleted contacts')))
     ) {
       return FALSE;
     }

diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index fdab683d68c76e688d6e599a83b203e4718c7c2c..0a2f686d700a256fce795d282a11fdb923fc0d82 100644 (file)
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -408,7 +408,8 @@ function civicrm_api3_contact_delete($params) {
   if ($skipUndelete && CRM_Financial_BAO_FinancialItem::checkContactPresent(array($contactID), $error)) {
     return civicrm_api3_create_error($error['_qf_default']);
   }
-  if (CRM_Contact_BAO_Contact::deleteContact($contactID, $restore, $skipUndelete)) {
+  if (CRM_Contact_BAO_Contact::deleteContact($contactID, $restore, $skipUndelete,
+    CRM_Utils_Array::value('check_permissions', $params))) {
     return civicrm_api3_create_success();
   }
   else {

diff --git a/tests/phpunit/api/v3/ContactTest.php b/tests/phpunit/api/v3/ContactTest.php
index 2d3493c5e8d365e47ebd976c2545040c90504d3d..480cc9355a6b9862794df9da93f612c87693629b 100644 (file)
--- a/tests/phpunit/api/v3/ContactTest.php
+++ b/tests/phpunit/api/v3/ContactTest.php
@@ -2288,6 +2288,24 @@ class api_v3_ContactTest extends CiviUnitTestCase {
     $this->callAPISuccess('contact', 'create', $params);
   }
 
+  /**
+   * Test that delete with skip undelete respects permissions.
+   */
+  public function testContactDeletePermissions() {
+    $contactID = $this->individualCreate();
+    CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM');
+    $this->callAPIFailure('Contact', 'delete', array(
+      'id' => $contactID,
+      'check_permissions' => 1,
+      'skip_undelete' => 1,
+    ));
+    $this->callAPISuccess('Contact', 'delete', array(
+      'id' => $contactID,
+      'check_permissions' => 0,
+      'skip_undelete' => 1,
+    ));
+  }
+
   /**
    * Test update with check permissions set.
    */