From 174a1918140f9bc17abaa3d624b8414ce35caa30 Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Fri, 8 Jan 2016 22:04:08 -0500 Subject: [PATCH] CRM-17795 - Refine api permissions for civiCase --- CRM/Case/BAO/Case.php | 27 +++++++++++++++++++++++++++ CRM/Case/Form/Task/Delete.php | 2 +- CRM/Case/Info.php | 6 +++++- CRM/Core/DAO/permissions.php | 4 ++-- 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/CRM/Case/BAO/Case.php b/CRM/Case/BAO/Case.php index c81fcf48fd..61e223869f 100644 --- a/CRM/Case/BAO/Case.php +++ b/CRM/Case/BAO/Case.php @@ -3454,4 +3454,31 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')'; return CRM_Core_PseudoConstant::get($className, $fieldName, $params, $context); } + /** + * @inheritDoc + */ + public function apiWhereClause($tableAlias) { + $clauses = array(); + // Only case admins can view deleted cases + if (!CRM_Core_Permission::check('administer CiviCase')) { + $clauses[] = "`$tableAlias`.is_deleted = 0"; + } + // Ensure the user has permission to view the case client + $contactClause = CRM_Contact_BAO_Contact_Permission::cacheSubquery('contact_id'); + if ($contactClause !== NULL) { + $clauses[] = "`$tableAlias`.id IN (SELECT case_id FROM civicrm_case_contact WHERE $contactClause)"; + } + // The api gatekeeper ensures the user has at least "access all cases and activities" + // so if they do not have permission to see all cases we'll assume they can only access their own + if (!CRM_Core_Permission::check('access all cases and activities')) { + $user = (int) CRM_Core_Session::getLoggedInContactID(); + $clauses[] = "`$tableAlias`.id IN ( + SELECT r.case_id FROM civicrm_relationship r, civicrm_case_contact cc WHERE r.is_active = 1 AND cc.case_id = r.case_id AND ( + (contact_id_a = cc.contact_id AND contact_id_b = $user) OR (contact_id_b = cc.contact_id AND contact_id_a = $user) + ) + )"; + } + return $clauses ? implode(' AND ', $clauses) : NULL; + } + } diff --git a/CRM/Case/Form/Task/Delete.php b/CRM/Case/Form/Task/Delete.php index e517db79a3..7e9e2473ef 100644 --- a/CRM/Case/Form/Task/Delete.php +++ b/CRM/Case/Form/Task/Delete.php @@ -65,7 +65,7 @@ class CRM_Case_Form_Task_Delete extends CRM_Case_Form_Task { * Build the form object. */ public function buildQuickForm() { - $this->addDefaultButtons(ts('Delete Cases'), 'done'); + $this->addDefaultButtons(ts('Delete cases'), 'done'); } /** diff --git a/CRM/Case/Info.php b/CRM/Case/Info.php index 0c91d9a59c..6117e85a18 100644 --- a/CRM/Case/Info.php +++ b/CRM/Case/Info.php @@ -101,19 +101,23 @@ class CRM_Case_Info extends CRM_Core_Component_Info { $permissions = array( 'delete in CiviCase' => array( ts('delete in CiviCase'), - ts('Delete Cases'), + ts('Delete cases'), ), 'administer CiviCase' => array( ts('administer CiviCase'), + ts('Define case types, access deleted cases'), ), 'access my cases and activities' => array( ts('access my cases and activities'), + ts('View and edit only those cases managed by this user'), ), 'access all cases and activities' => array( ts('access all cases and activities'), + ts('View and edit all cases (for visible contacts)'), ), 'add cases' => array( ts('add cases'), + ts('Open a new case'), ), ); diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php index 8663778a5e..bc2634d0ab 100644 --- a/CRM/Core/DAO/permissions.php +++ b/CRM/Core/DAO/permissions.php @@ -179,8 +179,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) { 'delete in CiviCase', ), 'default' => array( - 'access CiviCRM', - 'access all cases and activities', + // This is the minimum permission needed. Finer-grained access is controlled by CRM_Case_BAO_Case::apiWhereClause + 'access my cases and activities', ), ); -- 2.25.1