From: colemanw <coleman@civicrm.org>
Date: Tue, 14 Nov 2023 01:57:26 +0000 (-0500)
Subject: APIv4 - Fix access to case activities for administrators
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=93ab798a06b9a471ce39b98265ce729bbe96a84d;p=civicrm-core.git

APIv4 - Fix access to case activities for administrators

Fixes dev/core#4769

Before: Case administrators with 'access deleted contacts' permission blocked from viewing Case activities in APIv4
After: Permissions work correctly.

The problem was the hook logic was incorrectly interpreting empty permissions to mean "no access"
when it actually means "unrestricted access".
---

diff --git a/ext/civi_case/civi_case.php b/ext/civi_case/civi_case.php
index 43d5b67706..5ba1da28c4 100644
--- a/ext/civi_case/civi_case.php
+++ b/ext/civi_case/civi_case.php
@@ -25,14 +25,16 @@ function civi_case_civicrm_managed(&$entities, $modules) {
  */
 function civi_case_civicrm_selectWhereClause($entityName, &$clauses, $userId, $conditions) {
   if ($entityName === 'Activity') {
+    $casePerms = CRM_Utils_SQL::mergeSubquery('Case');
+    if (!$casePerms) {
+      // Unrestricted access to CiviCase
+      return;
+    }
     // OR group: either it's a non-case activity OR case permissions apply
     $orGroup = [
       'NOT IN (SELECT activity_id FROM civicrm_case_activity)',
+      'IN (SELECT activity_id FROM civicrm_case_activity WHERE case_id ' . implode(' AND case_id ', $casePerms) . ')',
     ];
-    $casePerms = CRM_Utils_SQL::mergeSubquery('Case');
-    if ($casePerms) {
-      $orGroup[] = 'IN (SELECT activity_id FROM civicrm_case_activity WHERE case_id ' . implode(' AND case_id ', $casePerms) . ')';
-    }
     $clauses['id'][] = $orGroup;
   }
 }
diff --git a/tests/phpunit/api/v4/Entity/CaseTest.php b/tests/phpunit/api/v4/Entity/CaseTest.php
index 39cd8d3028..1e2f877364 100644
--- a/tests/phpunit/api/v4/Entity/CaseTest.php
+++ b/tests/phpunit/api/v4/Entity/CaseTest.php
@@ -257,10 +257,11 @@ class CaseTest extends Api4TestBase {
     $this->assertCount(1, $result);
     $this->assertEquals($case1, $result[0]);
 
-    // CiviCase permission for all  cases
+    // CiviCase permission for all contacts and cases
     \CRM_Core_Config::singleton()->userPermissionClass->permissions = [
       'access CiviCRM',
       'view all contacts',
+      'access deleted contacts',
       'access all cases and activities',
       'administer CiviCase',
     ];