From: Coleman Watts <coleman@civicrm.org>
Date: Fri, 8 Jan 2016 22:29:46 +0000 (-0500)
Subject: CRM-17795 - Refine api permissions
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=4dc781056eff5f9c151ab299c8311066bebd2c2b;p=civicrm-core.git

CRM-17795 - Refine api permissions

Improves permissions for relationship, address, email, phone, website, im, loc_block
---

diff --git a/CRM/Contact/BAO/Relationship.php b/CRM/Contact/BAO/Relationship.php
index 8f4c19f378..9b2319031a 100644
--- a/CRM/Contact/BAO/Relationship.php
+++ b/CRM/Contact/BAO/Relationship.php
@@ -2101,4 +2101,19 @@ AND cc.sort_name LIKE '%$name%'";
     return $relationshipsDT;
   }
 
+  /**
+   * @inheritDoc
+   */
+  public function apiWhereClause($tableAlias) {
+    // Generate an acl clause for both contacts in the relationship
+    $clauses = array();
+    foreach (array('a', 'b') as $a) {
+      $clause = CRM_Contact_BAO_Contact_Permission::cacheSubquery("`$tableAlias`.contact_id_$a");
+      if ($clause !== NULL) {
+        $clauses[] = $clause;
+      }
+    }
+    return $clauses ? implode(' AND ', $clauses) : NULL;
+  }
+
 }
diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php
index 96597a7935..8663778a5e 100644
--- a/CRM/Core/DAO/permissions.php
+++ b/CRM/Core/DAO/permissions.php
@@ -108,10 +108,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
   // Contact-related data permissions.
   // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission
   $permissions['address'] = array(
-    'get' => array(
-      'access CiviCRM',
-      'view all contacts',
-    ),
+    // get is managed by BAO::apiWhereClause
+    'get' => array(),
     'default' => array(
       'access CiviCRM',
       'edit all contacts',
@@ -121,9 +119,10 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
   $permissions['phone'] = $permissions['address'];
   $permissions['website'] = $permissions['address'];
   $permissions['im'] = $permissions['address'];
-  $permissions['loc_block'] = $permissions['address'];
-  $permissions['entity_tag'] = $permissions['address'];
-  $permissions['note'] = $permissions['address'];
+  // @todo - implement CRM_Core_BAO_EntityTag::apiWhereClause and remove this heavy-handed restriction
+  $permissions['entity_tag'] = array('get' => array('access CiviCRM', 'view all contacts')) + $permissions['address'];
+  // @todo - ditto
+  $permissions['note'] = $permissions['entity_tag'];
 
   // Allow non-admins to get and create tags to support tagset widget
   // Delete is still reserved for admins
@@ -135,10 +134,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
 
   //relationship permissions
   $permissions['relationship'] = array(
-    'get' => array(
-      'access CiviCRM',
-      'view all contacts',
-    ),
+    // get is managed by BAO::apiWhereClause
+    'get' => array(),
     'delete' => array(
       'access CiviCRM',
       'edit all contacts',
@@ -250,6 +247,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
       'edit all events',
     ),
   );
+  // Loc block is only used for events
+  $permissions['loc_block'] = $permissions['event'];
 
   // File permissions
   $permissions['file'] = array(