From 1a4651bad74eaa88fdaf4c292cd21669d091f3f8 Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Wed, 26 Aug 2015 14:25:51 -0400 Subject: [PATCH] CRM-16512 - fix 'view my contact' permission in api acl --- CRM/ACL/API.php | 16 ++++++++++++---- tests/phpunit/api/v3/ACLPermissionTest.php | 20 +++++++++++++++++--- 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/CRM/ACL/API.php b/CRM/ACL/API.php index 10bdac50a3..cd2deab2e4 100644 --- a/CRM/ACL/API.php +++ b/CRM/ACL/API.php @@ -118,12 +118,12 @@ class CRM_ACL_API { return $deleteClause; } - if ($contactID == NULL) { - $user = CRM_Core_Session::getLoggedInContactID(); - $contactID = $user ? $user : 0; + if (!$contactID) { + $contactID = CRM_Core_Session::getLoggedInContactID(); } + $contactID = (int) $contactID; - return implode(' AND ', + $where = implode(' AND ', array( CRM_ACL_BAO_ACL::whereClause($type, $tables, @@ -133,6 +133,14 @@ class CRM_ACL_API { $deleteClause, ) ); + + // Add permission on self + if ($contactID && (CRM_Core_Permission::check('edit my contact') || + $type == self::VIEW && CRM_Core_Permission::check('view my contact')) + ) { + $where = "contact_a.id = $contactID OR ($where)"; + } + return $where; } /** diff --git a/tests/phpunit/api/v3/ACLPermissionTest.php b/tests/phpunit/api/v3/ACLPermissionTest.php index 4624b4a393..b04bf2b990 100644 --- a/tests/phpunit/api/v3/ACLPermissionTest.php +++ b/tests/phpunit/api/v3/ACLPermissionTest.php @@ -83,11 +83,11 @@ class api_v3_ACLPermissionTest extends CiviUnitTestCase { } /** - * Function tests that an empty where hook returns no results with edit my contact. + * Function tests that an empty where hook returns exactly 1 result with "view my contact". * * CRM-16512 caused contacts with Edit my contact to be able to view all records. */ - public function testContactGetNoResultsHookWithEditMyContact() { + public function testContactGetOneResultHookWithViewMyContact() { $this->createLoggedInUser(); $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'view my contact'); @@ -95,7 +95,21 @@ class api_v3_ACLPermissionTest extends CiviUnitTestCase { 'check_permissions' => 1, 'return' => 'display_name', )); - $this->assertEquals(0, $result['count']); + $this->assertEquals(1, $result['count']); + } + + /** + * Function tests that a user with "edit my contact" can edit themselves. + */ + public function testContactEditHookWithEditMyContact() { + $this->markTestIncomplete('api acls only work with contact get so far'); + $cid = $this->createLoggedInUser(); + $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereHookNoResults')); + CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'edit my contact'); + $this->callAPISuccess('contact', 'create', array( + 'check_permissions' => 1, + 'id' => $cid, + )); } /** -- 2.25.1