From: Edsel Date: Wed, 10 Feb 2016 11:28:58 +0000 (+0530) Subject: CRM-16259 CIVI-3 Modified permission checks for payment api X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=eba13f6d64a543c34fda46bb04adf8f429b8bcc3;p=civicrm-core.git CRM-16259 CIVI-3 Modified permission checks for payment api ---------------------------------------- * CRM-16259: Create Payment API https://issues.civicrm.org/jira/browse/CRM-16259 --- diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php index f525fe139b..33ca4dc6b7 100644 --- a/CRM/Core/DAO/permissions.php +++ b/CRM/Core/DAO/permissions.php @@ -236,6 +236,34 @@ function _civicrm_api3_permissions($entity, $action, &$params) { ); $permissions['line_item'] = $permissions['contribution']; + // Payment permissions + $permissions['payment'] = array( + 'get' => array( + 'access CiviCRM', + 'access CiviContribute', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviContribute', + 'delete in CiviContribute', + ), + 'cancel' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + 'create' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + 'default' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + ); + // Custom field permissions $permissions['custom_field'] = array( 'default' => array( diff --git a/api/v3/Payment.php b/api/v3/Payment.php index e7b88ef01a..4de7545221 100644 --- a/api/v3/Payment.php +++ b/api/v3/Payment.php @@ -41,9 +41,6 @@ * Array of financial transactions which are payments, if error an array with an error id and error message */ function civicrm_api3_payment_get($params) { - if (!CRM_Core_Permission::check('access CiviContribute')) { - throw new API_Exception('You do not have permission to access this api'); - } $financialTrxn = array(); $limit = ''; if (isset($params['options']) && CRM_Utils_Array::value('limit', $params['options'])) { @@ -88,9 +85,6 @@ function civicrm_api3_payment_get($params) { * Api result array */ function civicrm_api3_payment_delete(&$params) { - if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('delete in CiviContribute'))) { - throw new API_Exception('You do not have permission to access this api'); - } return civicrm_api3('FinancialTrxn', 'delete', $params); } @@ -105,9 +99,6 @@ function civicrm_api3_payment_delete(&$params) { * Api result array */ function civicrm_api3_payment_cancel(&$params) { - if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('edit contributions'))) { - throw new API_Exception('You do not have permission to access this api'); - } $eftParams = array( 'entity_table' => 'civicrm_contribution', 'financial_trxn_id' => $params['id'], @@ -135,9 +126,6 @@ function civicrm_api3_payment_cancel(&$params) { * Api result array */ function civicrm_api3_payment_create(&$params) { - if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('edit contributions'))) { - throw new API_Exception('You do not have permission to access this api'); - } // Check if it is an update if (CRM_Utils_Array::value('id', $params)) { $amount = $params['total_amount']; diff --git a/tests/phpunit/api/v3/PaymentTest.php b/tests/phpunit/api/v3/PaymentTest.php index d58fc91bf0..df91c8c1ab 100644 --- a/tests/phpunit/api/v3/PaymentTest.php +++ b/tests/phpunit/api/v3/PaymentTest.php @@ -49,8 +49,7 @@ class api_v3_PaymentTest extends CiviUnitTestCase { $this->_apiversion = 3; $this->_individualId = $this->individualCreate(); - $config = CRM_Core_Config::singleton(); - $config->userPermissionClass->permissions = array(); + CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); } /** @@ -59,8 +58,7 @@ class api_v3_PaymentTest extends CiviUnitTestCase { public function tearDown() { $this->quickCleanUpFinancialEntities(); $this->quickCleanup(array('civicrm_uf_match')); - $config = CRM_Core_Config::singleton(); - unset($config->userPermissionClass->permissions); + unset(CRM_Core_Config::singleton()->userPermissionClass->permissions); } /** @@ -81,9 +79,8 @@ class api_v3_PaymentTest extends CiviUnitTestCase { 'contribution_id' => $contribution['id'], 'check_permissions' => TRUE, ); - CRM_Core_Config::singleton()->userPermissionClass->permissions = array('administer CiviCRM'); - $payment = $this->callAPIFailure('payment', 'get', $params); - $this->assertEquals('You do not have permission to access this api', $payment['error_message']); + CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'administer CiviCRM'); + $payment = $this->callAPIFailure('payment', 'get', $params, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and access CiviContribute'); array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviContribute'); @@ -301,10 +298,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase { 'id' => $payment['id'], 'check_permissions' => TRUE, ); - $payment = $this->callAPIFailure('payment', 'cancel', $cancelParams); - $this->assertEquals('You do not have permission to access this api', $payment['error_message']); + $payment = $this->callAPIFailure('payment', 'cancel', $cancelParams, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and edit contributions'); - array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'edit contributions'); + array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'edit contributions'); $this->callAPIAndDocument('payment', 'cancel', $cancelParams, __FUNCTION__, __FILE__); @@ -338,10 +334,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase { 'id' => $payment['id'], 'check_permissions' => TRUE, ); - $payment = $this->callAPIFailure('payment', 'delete', $deleteParams); - $this->assertEquals('You do not have permission to access this api', $payment['error_message']); + $payment = $this->callAPIFailure('payment', 'delete', $deleteParams, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and delete in CiviContribute'); - array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'delete in CiviContribute'); + array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'delete in CiviContribute'); $this->callAPIAndDocument('payment', 'delete', $deleteParams, __FUNCTION__, __FILE__); $payment = $this->callAPIAndDocument('payment', 'get', $params, __FUNCTION__, __FILE__); @@ -393,10 +388,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase { 'id' => $payment['id'], 'check_permissions' => TRUE, ); - $payment = $this->callAPIFailure('payment', 'create', $params); - $this->assertEquals('You do not have permission to access this api', $payment['error_message']); + $payment = $this->callAPIFailure('payment', 'create', $params, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and edit contributions'); - array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'edit contributions'); + array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'edit contributions'); $payment = $this->callAPIAndDocument('payment', 'create', $params, __FUNCTION__, __FILE__); $params = array(