From ae6d2c8ee469495b2fff903e70ddb86e5c057817 Mon Sep 17 00:00:00 2001 From: CiviCRM Date: Wed, 16 Mar 2022 01:30:48 -0700 Subject: [PATCH] CRM_Core_Permission - Allow checking of anon-perms by authenticated-users Each CRM_Core_Permission_* adapter allows you to check the permissions on behalf of some other user. However, if that "other user" is "anonymous", then they are prone to mishandling. --- CRM/Core/Permission/Backdrop.php | 2 +- CRM/Core/Permission/Drupal.php | 2 +- CRM/Core/Permission/Drupal6.php | 2 +- CRM/Core/Permission/Drupal8.php | 2 +- CRM/Core/Permission/Joomla.php | 5 ++++- CRM/Core/Permission/WordPress.php | 4 ++-- 6 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CRM/Core/Permission/Backdrop.php b/CRM/Core/Permission/Backdrop.php index de90766d72..6fc230a4a3 100644 --- a/CRM/Core/Permission/Backdrop.php +++ b/CRM/Core/Permission/Backdrop.php @@ -68,7 +68,7 @@ class CRM_Core_Permission_Backdrop extends CRM_Core_Permission_DrupalBase { } if (function_exists('user_access')) { $account = NULL; - if ($userId) { + if ($userId || $userId === 0) { $account = user_load($userId); } return user_access($str, $account); diff --git a/CRM/Core/Permission/Drupal.php b/CRM/Core/Permission/Drupal.php index a6dbdd7a41..0b0abe0b0a 100644 --- a/CRM/Core/Permission/Drupal.php +++ b/CRM/Core/Permission/Drupal.php @@ -67,7 +67,7 @@ class CRM_Core_Permission_Drupal extends CRM_Core_Permission_DrupalBase { } if (function_exists('user_access')) { $account = NULL; - if ($userId) { + if ($userId || $userId === 0) { $account = user_load($userId); } return user_access($str, $account); diff --git a/CRM/Core/Permission/Drupal6.php b/CRM/Core/Permission/Drupal6.php index d478f09b5d..5bae3568bd 100644 --- a/CRM/Core/Permission/Drupal6.php +++ b/CRM/Core/Permission/Drupal6.php @@ -67,7 +67,7 @@ class CRM_Core_Permission_Drupal6 extends CRM_Core_Permission_DrupalBase { } if (function_exists('user_access')) { $account = NULL; - if ($userId) { + if ($userId || $userId === 0) { $account = user_load($userId); } return user_access($str, $account); diff --git a/CRM/Core/Permission/Drupal8.php b/CRM/Core/Permission/Drupal8.php index add83a00f3..eb1d570c37 100644 --- a/CRM/Core/Permission/Drupal8.php +++ b/CRM/Core/Permission/Drupal8.php @@ -41,7 +41,7 @@ class CRM_Core_Permission_Drupal8 extends CRM_Core_Permission_DrupalBase { if ($str == CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION) { return TRUE; } - $acct = $userId ? \Drupal\user\Entity\User::load($userId) : \Drupal::currentUser(); + $acct = ($userId === 0 ? \Drupal\user\Entity\User::getAnonymousUser() : ($userId ? \Drupal\user\Entity\User::load($userId) : \Drupal::currentUser())); return $acct->hasPermission($str); } diff --git a/CRM/Core/Permission/Joomla.php b/CRM/Core/Permission/Joomla.php index 42d551dd19..1a3e333e40 100644 --- a/CRM/Core/Permission/Joomla.php +++ b/CRM/Core/Permission/Joomla.php @@ -33,7 +33,10 @@ class CRM_Core_Permission_Joomla extends CRM_Core_Permission_Base { public function check($str, $userId = NULL) { $config = CRM_Core_Config::singleton(); // JFactory::getUser does strict type checking, so convert falesy values to NULL - if (!$userId) { + if ($userId === 0 || $userId === '0') { + $userId = 0; + } + elseif (!$userId) { $userId = NULL; } diff --git a/CRM/Core/Permission/WordPress.php b/CRM/Core/Permission/WordPress.php index 03eeb9be3b..dfcc6c34a3 100644 --- a/CRM/Core/Permission/WordPress.php +++ b/CRM/Core/Permission/WordPress.php @@ -60,14 +60,14 @@ class CRM_Core_Permission_WordPress extends CRM_Core_Permission_Base { $user = $userId ? get_userdata($userId) : wp_get_current_user(); - if ($user->has_cap('super admin') || $user->has_cap('administrator')) { + if ($userId !== 0 && ($user->has_cap('super admin') || $user->has_cap('administrator'))) { return TRUE; } // Make string lowercase and convert spaces into underscore $str = CRM_Utils_String::munge(strtolower($str)); - if ($user->exists()) { + if ($userId !== 0 && $user->exists()) { // Check whether the logged in user has the capabilitity if ($user->has_cap($str)) { return TRUE; -- 2.25.1