From 3ae62cab88db4150eed1e9e907414870df5ddccc Mon Sep 17 00:00:00 2001 From: Nicolas Ganivet Date: Tue, 23 Aug 2016 02:07:41 -0600 Subject: [PATCH] CRM-19256: full fix --- CRM/Core/Permission.php | 6 +++++- CRM/Utils/Hook.php | 19 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php index a0210146e5..0a3e854ad0 100644 --- a/CRM/Core/Permission.php +++ b/CRM/Core/Permission.php @@ -134,8 +134,12 @@ class CRM_Core_Permission { return FALSE; } else { + // This is an individual permission + $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permission); + // Call the permission_check hook to permit dynamic escalation (CRM-19256) + CRM_Utils_Hook::permission_check($permission, $granted); if ( - !CRM_Core_Config::singleton()->userPermissionClass->check($permission) + !$granted && !($tempPerm && $tempPerm->check($permission)) ) { //one of our 'and' conditions has not been met diff --git a/CRM/Utils/Hook.php b/CRM/Utils/Hook.php index 45cf6658e3..b9cb8b43ca 100644 --- a/CRM/Utils/Hook.php +++ b/CRM/Utils/Hook.php @@ -1729,6 +1729,25 @@ abstract class CRM_Utils_Hook { ); } + /** + * This hook is called when checking permissions; use this hook to dynamically + * escalate user permissions in certain use cases (cf. CRM-19256). + * + * @param string $permission + * The name of an atomic permission, ie. 'access deleted contacts' + * @param boolean $granted + * Whether this permission is currently granted. The hook can change this value. + * + * @return null + * The return value is ignored + */ + public static function permission_check($permission, &$granted) { + return self::singleton()->invoke(2, $permission, $granted, + self::$_nullObject, self::$_nullObject, self::$_nullObject, self::$_nullObject, + 'civicrm_permission_check' + ); + } + /** * @param CRM_Core_Exception Exception $exception * @param mixed $request -- 2.25.1