From: Coleman Watts <coleman@civicrm.org>
Date: Fri, 17 Jul 2015 01:52:24 +0000 (-0400)
Subject: CRM-16836 - Enforce permissions in group api getoptions
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=c108566b66a14f46b0ff9fe10dc3cf4d15ce12ac;p=civicrm-core.git

CRM-16836 - Enforce permissions in group api getoptions
---

diff --git a/CRM/Contact/BAO/GroupContact.php b/CRM/Contact/BAO/GroupContact.php
index d29b3267b5..2a564f3feb 100644
--- a/CRM/Contact/BAO/GroupContact.php
+++ b/CRM/Contact/BAO/GroupContact.php
@@ -799,10 +799,15 @@ AND    contact_id IN ( $contactStr )
 
     $options = CRM_Core_PseudoConstant::get(__CLASS__, $fieldName, $params, $context);
 
-    // Sort group list by hierarchy
-    // TODO: This will only work when api.entity is "group_contact". What about others?
-    if (($fieldName == 'group' || $fieldName == 'group_id') && ($context == 'search' || $context == 'create')) {
-      $options = CRM_Contact_BAO_Group::getGroupsHierarchy($options, NULL, '- ', TRUE);
+    if (($fieldName == 'group' || $fieldName == 'group_id')) {
+      // Enforce group visibility permissions
+      if (!empty($props['check_permissions'])) {
+        $options = CRM_Core_PseudoConstant::group();
+      }
+      if ($context == 'search' || $context == 'create') {
+        // Sort group list by hierarchy
+        $options = CRM_Contact_BAO_Group::getGroupsHierarchy($options, NULL, '- ', TRUE);
+      }
     }
 
     return $options;