From: Coleman Watts Date: Tue, 5 Jan 2016 21:28:30 +0000 (-0500) Subject: CRM-17645 - Refactor case permissions to go through the api X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=3924e596cf4904ea8f4037db2b5058450e818a12;p=civicrm-core.git CRM-17645 - Refactor case permissions to go through the api --- diff --git a/CRM/Case/BAO/Case.php b/CRM/Case/BAO/Case.php index fdb0a4ab4e..9e29f77a6b 100644 --- a/CRM/Case/BAO/Case.php +++ b/CRM/Case/BAO/Case.php @@ -3094,39 +3094,12 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')'; return FALSE; } - // This permission always has access - if (CRM_Core_Permission::check('access all cases and activities')) { - return TRUE; - } - - // This permission is required at minimum - if (!CRM_Core_Permission::check('access my cases and activities')) { - return FALSE; - } - - $session = CRM_Core_Session::singleton(); - $userID = CRM_Utils_Type::validate($session->get('userID'), 'Positive'); - $caseId = CRM_Utils_Type::validate($caseId, 'Positive'); - - $condition = " AND civicrm_case.is_deleted = 0 "; - $condition .= " AND case_relationship.contact_id_b = {$userID} "; - $condition .= " AND civicrm_case.id = {$caseId}"; - - if ($denyClosed) { - $closedId = CRM_Core_OptionGroup::getValue('case_status', 'Closed', 'name'); - $condition .= " AND civicrm_case.status_id != $closedId"; + $params = array('id' => $caseId, 'check_permissions' => TRUE); + if ($denyClosed && !CRM_Core_Permission::check('access all cases and activities')) { + $params['status_id'] = array('!=' => 'Closed'); } - - // We don't actually care about activities in the case, but the underlying - // query is verbose, and this allows us to share the basic query with - // getCases(). $type=='any' means that activities will be left-joined. - $query = self::getCaseActivityQuery('any', $userID, $condition); - $queryParams = array(); - $dao = CRM_Core_DAO::executeQuery($query, - $queryParams - ); - - return (bool) $dao->fetch(); + $result = civicrm_api3('Case', 'getcount', $params); + return (bool) $result['result']; } /** diff --git a/CRM/Case/Page/AJAX.php b/CRM/Case/Page/AJAX.php index c42e9b7496..9dbc11a69e 100644 --- a/CRM/Case/Page/AJAX.php +++ b/CRM/Case/Page/AJAX.php @@ -33,7 +33,7 @@ */ /** - * This class contains all case related functions that are called using AJAX (jQuery) + * This class contains all case related functions that are called using AJAX */ class CRM_Case_Page_AJAX { @@ -64,6 +64,9 @@ class CRM_Case_Page_AJAX { CRM_Utils_JSON::output($results); } + /** + * @throws \CRM_Core_Exception + */ public function processCaseTags() { $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Positive'); @@ -123,40 +126,34 @@ class CRM_Case_Page_AJAX { CRM_Utils_System::civiExit(); } + /** + * @throws \CiviCRM_API3_Exception + */ public function caseDetails() { $caseId = CRM_Utils_Type::escape($_GET['caseId'], 'Positive'); - if (!CRM_Case_BAO_Case::accessCase($caseId, FALSE)) { - CRM_Utils_System::permissionDenied(); - } + $case = civicrm_api3('Case', 'getsingle', + array('id' => $caseId, 'return' => array('subject', 'case_type_id', 'status_id', 'start_date', 'end_date'))); - $sql = "SELECT civicrm_case.*, civicrm_case_type.title as case_type - FROM civicrm_case - INNER JOIN civicrm_case_type ON civicrm_case.case_type_id = civicrm_case_type.id - WHERE civicrm_case.id = %1"; - $dao = CRM_Core_DAO::executeQuery($sql, array(1 => array($caseId, 'Integer'))); - - if ($dao->fetch()) { - $caseStatuses = CRM_Case_PseudoConstant::caseStatus(); - $cs = $caseStatuses[$dao->status_id]; - $caseDetails = " - - - - " . CRM_Utils_Date::customFormat($dao->end_date) . "
" . ts('Case Subject') . "{$dao->subject}
" . ts('Case Type') . "{$dao->case_type}
" . ts('Case Status') . "{$cs}
" . ts('Case Start Date') . "" . CRM_Utils_Date::customFormat($dao->start_date) . "
" . ts('Case End Date') . "
"; - if (CRM_Utils_Array::value('snippet', $_GET) == 'json') { - CRM_Core_Page_AJAX::returnJsonResponse($caseDetails); - } - else { - echo $caseDetails; - } - } - else { - CRM_Core_Error::fatal('Could not find valid Case.'); + $caseStatuses = CRM_Case_PseudoConstant::caseStatus(); + $caseTypes = CRM_Case_PseudoConstant::caseType('title', FALSE); + $caseDetails = " + + + + " . CRM_Utils_Date::customFormat($case['end_date']) . "
" . ts('Case Subject') . "{$case['subject']}
" . ts('Case Type') . "{$caseTypes[$case['case_type_id']]}
" . ts('Case Status') . "{$caseStatuses[$case['status_id']]}
" . ts('Case Start Date') . "" . CRM_Utils_Date::customFormat($case['start_date']) . "
" . ts('Case End Date') . "
"; + + if (CRM_Utils_Array::value('snippet', $_GET) == 'json') { + CRM_Core_Page_AJAX::returnJsonResponse($caseDetails); } + + echo $caseDetails; CRM_Utils_System::civiExit(); } + /** + * @throws \CRM_Core_Exception + */ public function addClient() { $caseId = CRM_Utils_Type::escape($_POST['caseID'], 'Positive'); $contactId = CRM_Utils_Type::escape($_POST['contactID'], 'Positive'); diff --git a/Civi/API/SelectQuery.php b/Civi/API/SelectQuery.php index 9c9d837304..fc322d6d38 100644 --- a/Civi/API/SelectQuery.php +++ b/Civi/API/SelectQuery.php @@ -367,7 +367,7 @@ class SelectQuery { } // More than 4 joins deep seems excessive - DOS attack? if ($depth > self::MAX_JOINS) { - throw new UnauthorizedException("Maximum number of joins exceeded for api.{$this->entity}.get in parameter $fkFieldName"); + throw new UnauthorizedException("Maximum number of joins exceeded in parameter $fkFieldName"); } if (!isset($fkField['FKApiName']) && !isset($fkField['FKClassName'])) { // Join doesn't exist - might be another param with a dot in it for some reason, we'll just ignore it. @@ -516,7 +516,7 @@ class SelectQuery { * Get acl clause for an entity * * @param string $tableAlias - * @param \CRM_Core_DAO $daoName + * @param string $daoName * @return null|string */ private function getAclClause($tableAlias, $daoName = NULL) {