From: Seamus Lee <seamuslee001@gmail.com>
Date: Mon, 13 Nov 2023 21:58:09 +0000 (+1100)
Subject: dev/core#4768 Fix validating contact when using checksum url
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=8067beb89005af104e610b66ca386af514aca626;p=civicrm-core.git

dev/core#4768 Fix validating contact when using checksum url

Fix type error failures
---

diff --git a/CRM/Core/Form.php b/CRM/Core/Form.php
index 85e98bc758..3a605bfa7d 100644
--- a/CRM/Core/Form.php
+++ b/CRM/Core/Form.php
@@ -2488,7 +2488,7 @@ class CRM_Core_Form extends HTML_QuickForm_Page {
    * Ideally the forms would override this so only the cid in the url
    * would be checked in the shared form function.
    *
-   * @return int
+   * @return int|null
    * @throws \CRM_Core_Exception
    */
   public function getRequestedContactID(): ?int {
@@ -2537,6 +2537,18 @@ class CRM_Core_Form extends HTML_QuickForm_Page {
    */
   protected function getAuthenticatedCheckSumContactID(): int {
     $requestedContactID = $this->getRequestedContactID();
+    return $this->validateAuthenticatedCheckSumContactID($requestedContactID);
+  }
+
+  /**
+   * Verify that a contact ID is authenticated as a valid contact by checksum
+   *
+   * @param int|null $contactID
+   *
+   * @return int
+   * @throws \CRM_Core_Exception
+   */
+  protected function validateAuthenticatedCheckSumContactID(?int $contactID): int {
     $userChecksum = CRM_Utils_Request::retrieve('cs', 'String', $this);
     if ($userChecksum && CRM_Contact_BAO_Contact_Utils::validChecksum($requestedContactID, $userChecksum)) {
       return $requestedContactID;
diff --git a/CRM/Event/Form/SelfSvcTransfer.php b/CRM/Event/Form/SelfSvcTransfer.php
index 50e43054e9..f658ae3879 100644
--- a/CRM/Event/Form/SelfSvcTransfer.php
+++ b/CRM/Event/Form/SelfSvcTransfer.php
@@ -125,7 +125,7 @@ class CRM_Event_Form_SelfSvcTransfer extends CRM_Core_Form {
     $this->_event_id = $this->_part_values['event_id'];
     $url = CRM_Utils_System::url('civicrm/event/info', "reset=1&id={$this->_event_id}");
     $this->define('Contact', 'ContactFrom', ['id' => (int) $this->_part_values['participant_contact_id']]);
-    if (!$this->getAuthenticatedCheckSumContactID() && !CRM_Core_Permission::check('edit all events')) {
+    if (!$this->validateAuthenticatedCheckSumContactID($this->getDefinition('ContactFrom')['id']) && !CRM_Core_Permission::check('edit all events')) {
       CRM_Core_Error::statusBounce(ts('You do not have sufficient permission to transfer/cancel this participant.'), $url);
     }
     $this->assign('action', $this->_action);