From: Coleman Watts <coleman@civicrm.org>
Date: Sat, 13 Dec 2014 23:28:04 +0000 (-0500)
Subject: CRM-15713 - Case ajax fixes
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=077dbf5e9d9a9cea51bdc0ff097278be6cec8bca;p=civicrm-core.git

CRM-15713 - Case ajax fixes
---

diff --git a/CRM/Case/BAO/Case.php b/CRM/Case/BAO/Case.php
index 39823568eb..a6a6a538b2 100644
--- a/CRM/Case/BAO/Case.php
+++ b/CRM/Case/BAO/Case.php
@@ -55,7 +55,17 @@ class CRM_Case_BAO_Case extends CRM_Case_DAO_Case {
   }
 
   /**
-   * takes an associative array and creates a case object
+   * Is CiviCase enabled?
+   *
+   * @return bool
+   */
+  static function enabled() {
+    $config = CRM_Core_Config::singleton();
+    return in_array('CiviCase', $config->enableComponents);
+  }
+
+  /**
+   * Takes an associative array and creates a case object
    *
    * the function extract all the params it needs to initialize the create a
    * case object. the params array could contain additional unused name/value
@@ -2804,18 +2814,8 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')';
     }
 
     //do check for civicase component enabled.
-    if ($checkComponent) {
-      static $componentEnabled;
-      if (!isset($componentEnabled)) {
-        $config = CRM_Core_Config::singleton();
-        $componentEnabled = FALSE;
-        if (in_array('CiviCase', $config->enableComponents)) {
-          $componentEnabled = TRUE;
-        }
-      }
-      if (!$componentEnabled) {
-        return $allow;
-      }
+    if ($checkComponent && !self::enabled()) {
+      return $allow;
     }
 
     //do check for cases.
@@ -3044,15 +3044,7 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')';
    * or 'access all cases and activities'
    */
   static function accessCiviCase() {
-    static $componentEnabled;
-    if (!isset($componentEnabled)) {
-      $componentEnabled = FALSE;
-      $config = CRM_Core_Config::singleton();
-      if (in_array('CiviCase', $config->enableComponents)) {
-        $componentEnabled = TRUE;
-      }
-    }
-    if (!$componentEnabled) {
+    if (!self::enabled()) {
       return FALSE;
     }
 
@@ -3066,7 +3058,34 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')';
   }
 
   /**
-   * Function to check whether activity is a case Activity
+   * Verify user has permission to access a case
+   *
+   * @param int $caseId
+   *
+   * @return bool
+   */
+  static function accessCase($caseId) {
+    if (!$caseId || !self::enabled()) {
+      return FALSE;
+    }
+
+    // This permission always has access
+    if (CRM_Core_Permission::check('access all cases and activities')) {
+      return TRUE;
+    }
+
+    // This permission is required at minimum
+    if (!CRM_Core_Permission::check('access my cases and activities')) {
+      return FALSE;
+    }
+
+    $filterCases = CRM_Case_BAO_Case::getCases(FALSE);
+
+    return isset($filterCases[$caseId]);
+  }
+
+  /**
+   * Check whether activity is a case Activity
    *
    * @param  int $activityID   activity id
    *
diff --git a/CRM/Case/Page/AJAX.php b/CRM/Case/Page/AJAX.php
index 6b83546414..f51db8c8c2 100644
--- a/CRM/Case/Page/AJAX.php
+++ b/CRM/Case/Page/AJAX.php
@@ -66,13 +66,12 @@ class CRM_Case_Page_AJAX {
 
   function processCaseTags() {
 
-    $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Integer');
+    $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Positive');
     $tags = CRM_Utils_Type::escape($_POST['tag'], 'String');
     $tagList = $_POST['taglist'];
 
-    if (empty($caseId)) {
-      echo 'false';
-      CRM_Utils_System::civiExit();
+    if (!CRM_Case_BAO_Case::accessCase($caseId)) {
+      CRM_Utils_System::permissionDenied();
     }
 
     $tagIds = array();
@@ -125,7 +124,12 @@ class CRM_Case_Page_AJAX {
   }
 
   function caseDetails() {
-    $caseId    = CRM_Utils_Type::escape($_GET['caseId'], 'Integer');
+    $caseId = CRM_Utils_Type::escape($_GET['caseId'], 'Positive');
+
+    if (!CRM_Case_BAO_Case::accessCase($caseId)) {
+      CRM_Utils_System::permissionDenied();
+    }
+
     $sql       = "SELECT civicrm_case.*, civicrm_case_type.title as case_type
         FROM civicrm_case
         INNER JOIN civicrm_case_type ON civicrm_case.case_type_id = civicrm_case_type.id
@@ -149,8 +153,12 @@ class CRM_Case_Page_AJAX {
   }
 
   function addClient() {
-    $caseId = CRM_Utils_Type::escape($_POST['caseID'], 'Integer');
-    $contactId = CRM_Utils_Type::escape($_POST['contactID'], 'Integer');
+    $caseId = CRM_Utils_Type::escape($_POST['caseID'], 'Positive');
+    $contactId = CRM_Utils_Type::escape($_POST['contactID'], 'Positive');
+
+    if (!$contactId || !CRM_Case_BAO_Case::accessCase($caseId)) {
+      CRM_Utils_System::permissionDenied();
+    }
 
     $params = array(
       'case_id' => $caseId,
@@ -188,8 +196,12 @@ class CRM_Case_Page_AJAX {
    * Function to delete relationships specific to case and relationship type
    */
   static function deleteCaseRoles() {
-    $caseId  = CRM_Utils_Type::escape($_POST['case_id'], 'Integer');
-    $relType = CRM_Utils_Type::escape($_POST['rel_type'], 'Integer');
+    $caseId  = CRM_Utils_Type::escape($_POST['case_id'], 'Positive');
+    $relType = CRM_Utils_Type::escape($_POST['rel_type'], 'Positive');
+
+    if (!$relType || !CRM_Case_BAO_Case::accessCase($caseId)) {
+      CRM_Utils_System::permissionDenied();
+    }
 
     $sql = "DELETE FROM civicrm_relationship WHERE case_id={$caseId} AND relationship_type_id={$relType}";
     CRM_Core_DAO::executeQuery($sql);