From: Edsel <edsel.lopez@jmaconsulting.biz>
Date: Wed, 27 Jan 2016 12:42:15 +0000 (+0530)
Subject: CRM-16259 CIVI-3 Added permissions for payment api
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=a036f52ca7b4e18d84ed4c499c4de4b2c99ce176;p=civicrm-core.git

CRM-16259 CIVI-3 Added permissions for payment api

----------------------------------------
* CRM-16259: Create Payment API
  https://issues.civicrm.org/jira/browse/CRM-16259
---

diff --git a/api/v3/Payment.php b/api/v3/Payment.php
index 4de7545221..aec343105d 100644
--- a/api/v3/Payment.php
+++ b/api/v3/Payment.php
@@ -41,6 +41,9 @@
  *   Array of financial transactions which are payments, if error an array with an error id and error message
  */
 function civicrm_api3_payment_get($params) {
+  if (!CRM_Core_Permission::check('access CiviContribute')) {
+    return civicrm_api3_create_error('You do not have permission to access this api');
+  }
   $financialTrxn = array();
   $limit = '';
   if (isset($params['options']) && CRM_Utils_Array::value('limit', $params['options'])) {
@@ -85,6 +88,9 @@ function civicrm_api3_payment_get($params) {
  *   Api result array
  */
 function civicrm_api3_payment_delete(&$params) {
+  if (!CRM_Core_Permission::check('access CiviContribute') && !CRM_Core_Permission::check('delete in CiviContribute')) {
+    return civicrm_api3_create_error('You do not have permission to access this api');
+  }
   return civicrm_api3('FinancialTrxn', 'delete', $params);
 }
 
@@ -99,6 +105,9 @@ function civicrm_api3_payment_delete(&$params) {
  *   Api result array
  */
 function civicrm_api3_payment_cancel(&$params) {
+  if (!CRM_Core_Permission::check('access CiviContribute') && !CRM_Core_Permission::check('edit contributions')) {
+    return civicrm_api3_create_error('You do not have permission to access this api');
+  }
   $eftParams = array(
     'entity_table' => 'civicrm_contribution',
     'financial_trxn_id' => $params['id'],
@@ -126,6 +135,9 @@ function civicrm_api3_payment_cancel(&$params) {
  *   Api result array
  */
 function civicrm_api3_payment_create(&$params) {
+  if (!CRM_Core_Permission::check('access CiviContribute') && !CRM_Core_Permission::check('edit contributions')) {
+    return civicrm_api3_create_error('You do not have permission to access this api');
+  }
   // Check if it is an update
   if (CRM_Utils_Array::value('id', $params)) {
     $amount = $params['total_amount'];