From: demeritcowboy <demeritcowboy@hotmail.com>
Date: Mon, 19 Jun 2023 22:45:35 +0000 (-0400)
Subject: crash for lesser-permissioned users
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=b35d7b1a66dd54c84565f306fa85c0d35ba878e6;p=civicrm-core.git

crash for lesser-permissioned users
---

diff --git a/CRM/ACL/BAO/ACL.php b/CRM/ACL/BAO/ACL.php
index 154b178357..977f3d3997 100644
--- a/CRM/ACL/BAO/ACL.php
+++ b/CRM/ACL/BAO/ACL.php
@@ -265,10 +265,12 @@ ORDER BY a.object_id
    AND   a.object_id IN (%1)
 ORDER BY a.object_id
 ";
-      $denyDao = CRM_Core_DAO::executeQuery($denyQuery, [1 => [implode(',', $ids), 'CommaSeparatedIntegers']]);
-      while ($denyDao->fetch()) {
-        $key = array_search($denyDao->object_id, $ids);
-        unset($ids[$key]);
+      if (!empty($ids)) {
+        $denyDao = CRM_Core_DAO::executeQuery($denyQuery, [1 => [implode(',', $ids), 'CommaSeparatedIntegers']]);
+        while ($denyDao->fetch()) {
+          $key = array_search($denyDao->object_id, $ids);
+          unset($ids[$key]);
+        }
       }
 
       if (!empty($ids)) {
diff --git a/tests/phpunit/api/v3/RelationshipTest.php b/tests/phpunit/api/v3/RelationshipTest.php
index cce47316b1..91ace3a2e3 100644
--- a/tests/phpunit/api/v3/RelationshipTest.php
+++ b/tests/phpunit/api/v3/RelationshipTest.php
@@ -1457,4 +1457,28 @@ class api_v3_RelationshipTest extends CiviUnitTestCase {
       ]));
   }
 
+  public function testCreateWithLesserPermissions() {
+    $this->setUpACLByCheating();
+    CRM_Core_Config::singleton()->userPermissionClass->permissions = [];
+    $params = [
+      'contact_id_a' => $this->_cId_a,
+      'contact_id_b' => $this->_cId_b,
+      'relationship_type_id' => $this->relationshipTypeID,
+    ];
+    $id = $this->callAPISuccess('Relationship', 'create', $params)['id'];
+    $relationship = $this->callAPISuccess('Relationship', 'getsingle', ['id' => $id]);
+    $this->assertEquals($params, array_intersect_key($relationship, $params));
+    CRM_Core_DAO::executeQuery("DELETE FROM civicrm_acl");
+  }
+
+  /**
+   * Normally a stock install has some acls in the table even if they aren't in
+   * use. I can't figure out how to set them up another way so I just lifted
+   * this from civicrm_generated.mysql
+   */
+  private function setUpACLByCheating() {
+    CRM_Core_DAO::executeQuery("INSERT INTO civicrm_acl (name, deny, entity_table, entity_id, operation, object_table, object_id, acl_table, acl_id, is_active) VALUES ('Edit All Contacts', 0, 'civicrm_acl_role', 1, 'Edit', 'civicrm_saved_search', 0, NULL, NULL, 1)");
+    CRM_Core_DAO::executeQuery("INSERT INTO civicrm_acl (name, deny, entity_table, entity_id, operation, object_table, object_id, acl_table, acl_id, is_active) VALUES ('Core ACL',0,'civicrm_acl_role',0,'All','access CiviMail subscribe/unsubscribe pages',NULL,NULL,NULL,1)");
+  }
+
 }