From: Edsel <edsel.lopez@jmaconsulting.biz>
Date: Wed, 10 Feb 2016 11:28:58 +0000 (+0530)
Subject: CRM-16259 CIVI-3 Modified permission checks for payment api
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=eba13f6d64a543c34fda46bb04adf8f429b8bcc3;p=civicrm-core.git

CRM-16259 CIVI-3 Modified permission checks for payment api

----------------------------------------
* CRM-16259: Create Payment API
  https://issues.civicrm.org/jira/browse/CRM-16259
---

diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php
index f525fe139b..33ca4dc6b7 100644
--- a/CRM/Core/DAO/permissions.php
+++ b/CRM/Core/DAO/permissions.php
@@ -236,6 +236,34 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
   );
   $permissions['line_item'] = $permissions['contribution'];
 
+  // Payment permissions
+  $permissions['payment'] = array(
+    'get' => array(
+      'access CiviCRM',
+      'access CiviContribute',
+    ),
+    'delete' => array(
+      'access CiviCRM',
+      'access CiviContribute',
+      'delete in CiviContribute',
+    ),
+    'cancel' => array(
+      'access CiviCRM',
+      'access CiviContribute',
+      'edit contributions',
+    ),
+    'create' => array(
+      'access CiviCRM',
+      'access CiviContribute',
+      'edit contributions',
+    ),
+    'default' => array(
+      'access CiviCRM',
+      'access CiviContribute',
+      'edit contributions',
+    ),
+  );
+
   // Custom field permissions
   $permissions['custom_field'] = array(
     'default' => array(
diff --git a/api/v3/Payment.php b/api/v3/Payment.php
index e7b88ef01a..4de7545221 100644
--- a/api/v3/Payment.php
+++ b/api/v3/Payment.php
@@ -41,9 +41,6 @@
  *   Array of financial transactions which are payments, if error an array with an error id and error message
  */
 function civicrm_api3_payment_get($params) {
-  if (!CRM_Core_Permission::check('access CiviContribute')) {
-    throw new API_Exception('You do not have permission to access this api');
-  }
   $financialTrxn = array();
   $limit = '';
   if (isset($params['options']) && CRM_Utils_Array::value('limit', $params['options'])) {
@@ -88,9 +85,6 @@ function civicrm_api3_payment_get($params) {
  *   Api result array
  */
 function civicrm_api3_payment_delete(&$params) {
-  if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('delete in CiviContribute'))) {
-    throw new API_Exception('You do not have permission to access this api');
-  }
   return civicrm_api3('FinancialTrxn', 'delete', $params);
 }
 
@@ -105,9 +99,6 @@ function civicrm_api3_payment_delete(&$params) {
  *   Api result array
  */
 function civicrm_api3_payment_cancel(&$params) {
-  if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('edit contributions'))) {
-    throw new API_Exception('You do not have permission to access this api');
-  }
   $eftParams = array(
     'entity_table' => 'civicrm_contribution',
     'financial_trxn_id' => $params['id'],
@@ -135,9 +126,6 @@ function civicrm_api3_payment_cancel(&$params) {
  *   Api result array
  */
 function civicrm_api3_payment_create(&$params) {
-  if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('edit contributions'))) {
-    throw new API_Exception('You do not have permission to access this api');
-  }
   // Check if it is an update
   if (CRM_Utils_Array::value('id', $params)) {
     $amount = $params['total_amount'];
diff --git a/tests/phpunit/api/v3/PaymentTest.php b/tests/phpunit/api/v3/PaymentTest.php
index d58fc91bf0..df91c8c1ab 100644
--- a/tests/phpunit/api/v3/PaymentTest.php
+++ b/tests/phpunit/api/v3/PaymentTest.php
@@ -49,8 +49,7 @@ class api_v3_PaymentTest extends CiviUnitTestCase {
 
     $this->_apiversion = 3;
     $this->_individualId = $this->individualCreate();
-    $config = CRM_Core_Config::singleton();
-    $config->userPermissionClass->permissions = array();
+    CRM_Core_Config::singleton()->userPermissionClass->permissions = array();
   }
 
   /**
@@ -59,8 +58,7 @@ class api_v3_PaymentTest extends CiviUnitTestCase {
   public function tearDown() {
     $this->quickCleanUpFinancialEntities();
     $this->quickCleanup(array('civicrm_uf_match'));
-    $config = CRM_Core_Config::singleton();
-    unset($config->userPermissionClass->permissions);
+    unset(CRM_Core_Config::singleton()->userPermissionClass->permissions);
   }
 
   /**
@@ -81,9 +79,8 @@ class api_v3_PaymentTest extends CiviUnitTestCase {
       'contribution_id' => $contribution['id'],
       'check_permissions' => TRUE,
     );
-    CRM_Core_Config::singleton()->userPermissionClass->permissions = array('administer CiviCRM');
-    $payment = $this->callAPIFailure('payment', 'get', $params);
-    $this->assertEquals('You do not have permission to access this api', $payment['error_message']);
+    CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'administer CiviCRM');
+    $payment = $this->callAPIFailure('payment', 'get', $params, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and access CiviContribute');
 
     array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviContribute');
 
@@ -301,10 +298,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase {
       'id' => $payment['id'],
       'check_permissions' => TRUE,
     );
-    $payment = $this->callAPIFailure('payment', 'cancel', $cancelParams);
-    $this->assertEquals('You do not have permission to access this api', $payment['error_message']);
+    $payment = $this->callAPIFailure('payment', 'cancel', $cancelParams, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and edit contributions');
 
-    array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'edit contributions');
+    array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'edit contributions');
 
     $this->callAPIAndDocument('payment', 'cancel', $cancelParams, __FUNCTION__, __FILE__);
 
@@ -338,10 +334,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase {
       'id' => $payment['id'],
       'check_permissions' => TRUE,
     );
-    $payment = $this->callAPIFailure('payment', 'delete', $deleteParams);
-    $this->assertEquals('You do not have permission to access this api', $payment['error_message']);
+    $payment = $this->callAPIFailure('payment', 'delete', $deleteParams, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and delete in CiviContribute');
 
-    array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'delete in CiviContribute');
+    array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'delete in CiviContribute');
     $this->callAPIAndDocument('payment', 'delete', $deleteParams, __FUNCTION__, __FILE__);
 
     $payment = $this->callAPIAndDocument('payment', 'get', $params, __FUNCTION__, __FILE__);
@@ -393,10 +388,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase {
       'id' => $payment['id'],
       'check_permissions' => TRUE,
     );
-    $payment = $this->callAPIFailure('payment', 'create', $params);
-    $this->assertEquals('You do not have permission to access this api', $payment['error_message']);
+    $payment = $this->callAPIFailure('payment', 'create', $params, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and edit contributions');
 
-    array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'edit contributions');
+    array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'edit contributions');
     $payment = $this->callAPIAndDocument('payment', 'create', $params, __FUNCTION__, __FILE__);
 
     $params = array(