From: jitendrapurohit <jitendra.purohit@webaccessglobal.com>
Date: Fri, 31 Jul 2015 11:50:38 +0000 (+0530)
Subject: CRM-13644 - ACL does not protect group listing (in civiMail and other places)
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=a0fd420c71ed387e21eb1bffb3b4113b6db5bfac;p=civicrm-core.git

CRM-13644 - ACL does not protect group listing (in civiMail and other places)
---

diff --git a/CRM/ACL/API.php b/CRM/ACL/API.php
index f3681b3fa8..675beb80de 100644
--- a/CRM/ACL/API.php
+++ b/CRM/ACL/API.php
@@ -227,6 +227,9 @@ class CRM_ACL_API {
       $groups = self::group($type, $contactID, $tableName, $allGroups, $includedGroups);
       $cache[$key] = $groups;
     }
+    if (empty($groups)) {
+      return FALSE;
+    }
 
     return in_array($groupID, $groups) ? TRUE : FALSE;
   }
diff --git a/api/v3/Group.php b/api/v3/Group.php
index a5d7cfeb23..37b9567c1e 100644
--- a/api/v3/Group.php
+++ b/api/v3/Group.php
@@ -71,14 +71,17 @@ function _civicrm_api3_group_create_spec(&$params) {
  */
 function civicrm_api3_group_get($params) {
   $options = _civicrm_api3_get_options_from_params($params, TRUE, 'Group', 'get');
-  if (empty($options['return']) || !in_array('member_count', $options['return'])) {
-    return _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params, TRUE, 'Group');
-  }
-
   $groups = _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params, FALSE, 'Group');
   foreach ($groups as $id => $group) {
-    $groups[$id]['member_count'] = CRM_Contact_BAO_Group::memberCount($id);
+    $permission = CRM_Contact_BAO_Group::checkPermission($group['id']);
+    if (!$permission) {
+      unset($groups[$id]);
+    }
+    else if (!empty($options['return']) && in_array('member_count', $options['return'])) {
+      $groups[$id]['member_count'] = CRM_Contact_BAO_Group::memberCount($id);
+    }
   }
+  $groups = array_values($groups);
   return civicrm_api3_create_success($groups, $params, 'Group', 'get');
 }