From 390820a1bd90c9be51ca8f236cecdebfbefc8342 Mon Sep 17 00:00:00 2001
From: Eileen McNaughton <emcnaughton@wikimedia.org>
Date: Wed, 18 Oct 2023 12:59:52 +1300
Subject: [PATCH] Fix variable leakage between uf_group_id & contact ID

---
 CRM/Contact/Form/Search.php          | 29 ++++++++++++----------------
 CRM/Contact/Form/Search/Advanced.php | 12 +++++-------
 CRM/Contact/Form/Search/Builder.php  |  9 +--------
 CRM/Contact/Form/Search/Criteria.php |  4 ++--
 4 files changed, 20 insertions(+), 34 deletions(-)

diff --git a/CRM/Contact/Form/Search.php b/CRM/Contact/Form/Search.php
index 575b3d38c2..ac69d0ce9b 100644
--- a/CRM/Contact/Form/Search.php
+++ b/CRM/Contact/Form/Search.php
@@ -530,7 +530,7 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
     $this->_amtgID = CRM_Utils_Request::retrieve('amtgID', 'Positive', $this);
     $this->_ssID = CRM_Utils_Request::retrieve('ssID', 'Positive', $this);
     $this->_sortByCharacter = CRM_Utils_Request::retrieve('sortByCharacter', 'String', $this);
-    $this->_ufGroupID = CRM_Utils_Request::retrieve('id', 'Positive', $this);
+    $ufGroupID = CRM_Utils_Request::retrieve('uf_group_id', 'Positive', $this);
     $this->_componentMode = CRM_Utils_Request::retrieve('component_mode', 'Positive', $this, FALSE, CRM_Contact_BAO_Query::MODE_CONTACTS, $_REQUEST);
     $this->_operator = CRM_Utils_Request::retrieve('operator', 'String', $this, FALSE, CRM_Contact_BAO_Query::SEARCH_OPERATOR_AND, 'REQUEST');
 
@@ -547,10 +547,10 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
 
     // if we dont get this from the url, use default if one exsts
     $config = CRM_Core_Config::singleton();
-    if ($this->_ufGroupID == NULL &&
+    if ($ufGroupID == NULL &&
       $config->defaultSearchProfileID != NULL
     ) {
-      $this->_ufGroupID = $config->defaultSearchProfileID;
+      $ufGroupID = $config->defaultSearchProfileID;
     }
 
     // assign context to drive the template display, make sure context is valid
@@ -579,9 +579,9 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
       $this->_returnProperties = &$this->returnProperties();
 
       // also get the uf group id directly from the post value
-      $this->_ufGroupID = CRM_Utils_Array::value('uf_group_id', $_POST, $this->_ufGroupID);
-      $this->_formValues['uf_group_id'] = $this->_ufGroupID;
-      $this->set('id', $this->_ufGroupID);
+      $ufGroupID = $_POST['uf_group_id'] ?? $ufGroupID;
+      $this->_formValues['uf_group_id'] = $ufGroupID;
+      $this->set('uf_group_id', $ufGroupID);
 
       // also get the object mode directly from the post value
       $this->_componentMode = CRM_Utils_Array::value('component_mode', $_POST, $this->_componentMode);
@@ -595,8 +595,8 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
       $this->_formValues = $this->get('formValues');
       $this->_params = CRM_Contact_BAO_Query::convertFormValues($this->_formValues, 0, FALSE, NULL, $this->entityReferenceFields);
       $this->_returnProperties = &$this->returnProperties();
-      if (!empty($this->_ufGroupID)) {
-        $this->set('id', $this->_ufGroupID);
+      if ($ufGroupID) {
+        $this->set('uf_group_id', $ufGroupID);
       }
     }
 
@@ -623,9 +623,9 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
         $this->_returnProperties = &$this->returnProperties();
       }
       else {
-        if (isset($this->_ufGroupID)) {
+        if ($ufGroupID) {
           // also set the uf group id if not already present
-          $this->_formValues['uf_group_id'] = $this->_ufGroupID;
+          $this->_formValues['uf_group_id'] = $ufGroupID;
         }
         if (isset($this->_componentMode)) {
           $this->_formValues['component_mode'] = $this->_componentMode;
@@ -667,9 +667,7 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
         }
       }
     }
-    $this->assign('id',
-      CRM_Utils_Array::value('uf_group_id', $this->_formValues)
-    );
+    $this->assign('id', $ufGroupID);
     $operator = CRM_Utils_Array::value('operator', $this->_formValues, CRM_Contact_BAO_Query::SEARCH_OPERATOR_AND);
     $this->set('queryOperator', $operator);
     if ($operator == CRM_Contact_BAO_Query::SEARCH_OPERATOR_OR) {
@@ -768,10 +766,7 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
 
     //get the button name
     $buttonName = $this->controller->getButtonName();
-
-    if (isset($this->_ufGroupID) && empty($this->_formValues['uf_group_id'])) {
-      $this->_formValues['uf_group_id'] = $this->_ufGroupID;
-    }
+    $this->_formValues['uf_group_id'] = $this->_formValues['uf_group_id'] ?? $this->get('uf_group_id');
 
     if (isset($this->_componentMode) && empty($this->_formValues['component_mode'])) {
       $this->_formValues['component_mode'] = $this->_componentMode;
diff --git a/CRM/Contact/Form/Search/Advanced.php b/CRM/Contact/Form/Search/Advanced.php
index fb00ab8809..7b9d471ef3 100644
--- a/CRM/Contact/Form/Search/Advanced.php
+++ b/CRM/Contact/Form/Search/Advanced.php
@@ -226,6 +226,10 @@ class CRM_Contact_Form_Search_Advanced extends CRM_Contact_Form_Search {
     $this->set('isAdvanced', '1');
 
     $this->setFormValues();
+    if (is_numeric($_POST['id'] ?? NULL)) {
+      $this->_formValues['contact_id'] = (int) $_POST['id'];
+    }
+    $this->set('formValues', $this->_formValues);
     // get user submitted values
     // get it from controller only if form has been submitted, else preProcess has set this
     if (!empty($_POST)) {
@@ -238,13 +242,7 @@ class CRM_Contact_Form_Search_Advanced extends CRM_Contact_Form_Search {
         }
       }
 
-      // set the group if group is submitted
-      if (!empty($this->_formValues['uf_group_id'])) {
-        $this->set('id', $this->_formValues['uf_group_id']);
-      }
-      else {
-        $this->set('id', '');
-      }
+      $this->set('uf_group_id', $this->_formValues['uf_group_id'] ?? '');
     }
 
     // retrieve ssID values only if formValues is null, i.e. form has never been posted
diff --git a/CRM/Contact/Form/Search/Builder.php b/CRM/Contact/Form/Search/Builder.php
index c65dc87d0c..a0a1e70f0f 100644
--- a/CRM/Contact/Form/Search/Builder.php
+++ b/CRM/Contact/Form/Search/Builder.php
@@ -365,14 +365,7 @@ class CRM_Contact_Form_Search_Builder extends CRM_Contact_Form_Search {
     // get it from controller only if form has been submitted, else preProcess has set this
     if (!empty($_POST)) {
       $this->_formValues = $this->controller->exportValues($this->_name);
-
-      // set the group if group is submitted
-      if (!empty($this->_formValues['uf_group_id'])) {
-        $this->set('id', $this->_formValues['uf_group_id']);
-      }
-      else {
-        $this->set('id', '');
-      }
+      $this->set('uf_group_id', $this->_formValues['uf_group_id'] ?? '');
     }
 
     // we dont want to store the sortByCharacter in the formValue, it is more like
diff --git a/CRM/Contact/Form/Search/Criteria.php b/CRM/Contact/Form/Search/Criteria.php
index ac6b938203..b7f60d9469 100644
--- a/CRM/Contact/Form/Search/Criteria.php
+++ b/CRM/Contact/Form/Search/Criteria.php
@@ -98,8 +98,8 @@ class CRM_Contact_Form_Search_Criteria {
     $form->addElement('text', 'job_title', ts('Job Title'), CRM_Core_DAO::getAttribute('CRM_Contact_DAO_Contact', 'job_title'));
 
     //added internal ID
-    $form->add('number', 'contact_id', ts('Contact ID'), CRM_Core_DAO::getAttribute('CRM_Contact_DAO_Contact', 'id') + ['min' => 1]);
-    $form->addRule('contact_id', ts('Please enter valid Contact ID'), 'positiveInteger');
+    $form->add('number', 'id', ts('Contact ID'), CRM_Core_DAO::getAttribute('CRM_Contact_DAO_Contact', 'id') + ['min' => 1]);
+    $form->addRule('id', ts('Please enter valid Contact ID'), 'positiveInteger');
 
     //added external ID
     $form->addElement('text', 'external_identifier', ts('External ID'), CRM_Core_DAO::getAttribute('CRM_Contact_DAO_Contact', 'external_identifier'));
-- 
2.25.1