From: eileen <emcnaughton@wikimedia.org>
Date: Mon, 2 Sep 2019 06:35:19 +0000 (+1200)
Subject: Dedupe permissions - allow safe mode merging based on 'merge duplicate contacts'
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=418ffc5be84e39a037b341432e751f591a0a5942;p=civicrm-core.git

Dedupe permissions - allow safe mode merging based on 'merge duplicate contacts'

Ensure force merge permission for force merging (not at the api layer as api v4 won't use that
---

diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index 0e2a3c16af..c2730c1bef 100644
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -1183,6 +1183,9 @@ class CRM_Core_Permission {
     $permissions['exception'] = [
       'default' => ['merge duplicate contacts'],
     ];
+    $permissions['job'] = [
+      'process_batch_merge' => ['merge duplicate contacts'],
+    ];
     // Loc block is only used for events
     $permissions['loc_block'] = $permissions['event'];
 
diff --git a/CRM/Dedupe/Merger.php b/CRM/Dedupe/Merger.php
index 9e501f35f6..003239ff58 100644
--- a/CRM/Dedupe/Merger.php
+++ b/CRM/Dedupe/Merger.php
@@ -692,10 +692,15 @@ INNER JOIN  civicrm_membership membership2 ON membership1.membership_type_id = m
    *  per comments on isSelected above.
    *
    * @return array|bool
+   *
+   * @throws \CRM_Core_Exception
+   * @throws \CiviCRM_API3_Exception
    */
   public static function batchMerge($rgid, $gid = NULL, $mode = 'safe', $batchLimit = 1, $isSelected = 2, $criteria = [], $checkPermissions = TRUE, $reloadCacheIfEmpty = NULL) {
     $redirectForPerformance = ($batchLimit > 1) ? TRUE : FALSE;
-
+    if ($mode === 'aggressive' && $checkPermissions && !CRM_Core_Permission::check('force merge duplicate contacts')) {
+      throw new CRM_Core_Exception(ts('Insufficient permissions for aggressive mode batch merge'));
+    }
     if (!isset($reloadCacheIfEmpty)) {
       $reloadCacheIfEmpty = (!$redirectForPerformance && $isSelected == 2);
     }
diff --git a/tests/phpunit/api/v3/JobTest.php b/tests/phpunit/api/v3/JobTest.php
index bc5adbd8a8..c9ebda053c 100644
--- a/tests/phpunit/api/v3/JobTest.php
+++ b/tests/phpunit/api/v3/JobTest.php
@@ -1112,7 +1112,7 @@ class api_v3_JobTest extends CiviUnitTestCase {
    * @param $dataSet
    */
   public function testBatchMergeWorksCheckPermissionsTrue($dataSet) {
-    CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'administer CiviCRM'];
+    CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'administer CiviCRM', 'merge duplicate contacts', 'force merge duplicate contacts'];
     foreach ($dataSet['contacts'] as $params) {
       $this->callAPISuccess('Contact', 'create', $params);
     }