From: Seamus Lee <seamuslee001@gmail.com>
Date: Tue, 26 Nov 2019 19:41:41 +0000 (+1100)
Subject: Conditionally add metadata for advanced search only if the user has access for search... 
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=e26bc72e5e732cb6226edd0718f0df484f952ed0;p=civicrm-core.git

Conditionally add metadata for advanced search only if the user has access for searching to that perticular component
---

diff --git a/CRM/Contact/Form/Search.php b/CRM/Contact/Form/Search.php
index a225db1225..f62137c658 100644
--- a/CRM/Contact/Form/Search.php
+++ b/CRM/Contact/Form/Search.php
@@ -906,16 +906,30 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
     return ts('Search');
   }
 
+  /**
+   * Check Access for a component
+   * @param string $component
+   * @return bool
+   */
+  protected static function checkComponentAccess($component) {
+    $enabledComponents = CRM_Core_Component::getEnabledComponents();
+    if (!array_key_exists($component, $enabledComponents)) {
+      return FALSE;
+    }
+    return CRM_Core_Permission::access($component);
+  }
+
   /**
    * Load metadata for fields on the form.
    *
    * @throws \CiviCRM_API3_Exception
    */
   protected function loadMetadata() {
-    // @todo - check what happens if the person does not have 'access civicontribute' - make sure they
     // can't by pass acls by passing search criteria in the url.
-    $this->addSearchFieldMetadata(['Contribution' => CRM_Contribute_BAO_Query::getSearchFieldMetadata()]);
-    $this->addSearchFieldMetadata(['ContributionRecur' => CRM_Contribute_BAO_ContributionRecur::getContributionRecurSearchFieldMetadata()]);
+    if (self::checkComponentAccess('CiviContribute')) {
+      $this->addSearchFieldMetadata(['Contribution' => CRM_Contribute_BAO_Query::getSearchFieldMetadata()]);
+      $this->addSearchFieldMetadata(['ContributionRecur' => CRM_Contribute_BAO_ContributionRecur::getContributionRecurSearchFieldMetadata()]);
+    }
   }
 
 }