From: Coleman Watts Date: Fri, 17 Jul 2015 01:52:24 +0000 (-0400) Subject: CRM-16836 - Enforce permissions in group api getoptions X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=c108566b66a14f46b0ff9fe10dc3cf4d15ce12ac;p=civicrm-core.git CRM-16836 - Enforce permissions in group api getoptions --- diff --git a/CRM/Contact/BAO/GroupContact.php b/CRM/Contact/BAO/GroupContact.php index d29b3267b5..2a564f3feb 100644 --- a/CRM/Contact/BAO/GroupContact.php +++ b/CRM/Contact/BAO/GroupContact.php @@ -799,10 +799,15 @@ AND contact_id IN ( $contactStr ) $options = CRM_Core_PseudoConstant::get(__CLASS__, $fieldName, $params, $context); - // Sort group list by hierarchy - // TODO: This will only work when api.entity is "group_contact". What about others? - if (($fieldName == 'group' || $fieldName == 'group_id') && ($context == 'search' || $context == 'create')) { - $options = CRM_Contact_BAO_Group::getGroupsHierarchy($options, NULL, '- ', TRUE); + if (($fieldName == 'group' || $fieldName == 'group_id')) { + // Enforce group visibility permissions + if (!empty($props['check_permissions'])) { + $options = CRM_Core_PseudoConstant::group(); + } + if ($context == 'search' || $context == 'create') { + // Sort group list by hierarchy + $options = CRM_Contact_BAO_Group::getGroupsHierarchy($options, NULL, '- ', TRUE); + } } return $options;