From 44d17ec8f4574299ee3ec7888d0da33dbcc77373 Mon Sep 17 00:00:00 2001
From: Bob Silvern <bobs00@cox.net>
Date: Sat, 13 Aug 2016 08:18:33 -0700
Subject: [PATCH] CRM-19201 - Move common code into
 CRM_Core_Permission::access.

----------------------------------------
* CRM-19201: Cannot search CiviCampaign/CiviCase activities or report CiviCampaign activities
https://issues.civicrm.org/jira/browse/CRM-19201
---
 CRM/Activity/Selector/Search.php | 26 ++++++--------------------
 CRM/Core/Permission.php          | 30 +++++++++++++++++++++++-------
 CRM/Report/Form/Activity.php     | 22 +++++-----------------
 3 files changed, 34 insertions(+), 44 deletions(-)

diff --git a/CRM/Activity/Selector/Search.php b/CRM/Activity/Selector/Search.php
index 2e6543e9f0..dcd396daaf 100644
--- a/CRM/Activity/Selector/Search.php
+++ b/CRM/Activity/Selector/Search.php
@@ -174,26 +174,12 @@ class CRM_Activity_Selector_Search extends CRM_Core_Selector_Base implements CRM
     $components = CRM_Core_Component::getNames();
     $componentClause = array();
     foreach ($components as $componentID => $componentName) {
-      // CRM-19201: Add support for searching CiviCampaign and CiviCase
-      // activities.
-      // "access all cases and activities" is used here rather than
-      // "access my cases and activities" to prevent those with only the later
-      // permission to see a list of all cases which might present a privacy
-      // issue.
-      switch ($componentName) {
-        case 'CiviCase':
-          $perm = "access all cases and activities";
-          break;
-
-        case 'CiviCampaign':
-          $perm = "administer $componentName";
-          break;
-
-        default:
-          $perm = "access $componentName";
-          break;
-      }
-      if (!CRM_Core_Permission::check($perm)) {
+      // CRM-19201: Add support for reporting CiviCampaign activities
+      // For CiviCase, "access all cases and activities" is required here
+      // rather than "access my cases and activities" to prevent those with
+      // only the later permission from seeing a list of all cases which might
+      // present a privacy issue.
+      if (!CRM_Core_Permission::access($componentName, TRUE, TRUE)) {
         $componentClause[] = " (activity_type.component_id IS NULL OR activity_type.component_id <> {$componentID}) ";
       }
     }
diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index a0210146e5..01cb4e2d54 100644
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -411,12 +411,22 @@ class CRM_Core_Permission {
   }
 
   /**
-   * @param $module
+   * Checks that component is enabled and optionally that user has basic perm.
+   *
+   * @param string $module
+   *   Specifies the name of the CiviCRM component.
    * @param bool $checkPermission
+   *   Check not only that module is enabled, but that user has necessary
+   *   permission.
+   * @param bool $requireAllCasesPermOnCiviCase
+   *   Significant only if $module == CiviCase
+   *   Require "access all cases and activities", not just
+   *   "access my cases and activities".
    *
    * @return bool
+   *   Access to specified $module is granted.
    */
-  public static function access($module, $checkPermission = TRUE) {
+  public static function access($module, $checkPermission = TRUE, $requireAllCasesPermOnCiviCase = FALSE) {
     $config = CRM_Core_Config::singleton();
 
     if (!in_array($module, $config->enableComponents)) {
@@ -424,11 +434,17 @@ class CRM_Core_Permission {
     }
 
     if ($checkPermission) {
-      if ($module == 'CiviCase') {
-        return CRM_Case_BAO_Case::accessCiviCase();
-      }
-      else {
-        return CRM_Core_Permission::check("access $module");
+      switch ($module) {
+        case 'CiviCase':
+          $access_all_cases = CRM_Core_Permission::check("access all cases and activities");
+          $access_my_cases  = CRM_Core_Permission::check("access my cases and activities");
+          return $access_all_cases || (!$requireAllCasesPermOnCiviCase && $access_my_cases);
+
+        case 'CiviCampaign':
+          return CRM_Core_Permission::check("administer $module");
+
+        default:
+          return CRM_Core_Permission::check("access $module");
       }
     }
 
diff --git a/CRM/Report/Form/Activity.php b/CRM/Report/Form/Activity.php
index 2be48c2860..c2aa105d4d 100644
--- a/CRM/Report/Form/Activity.php
+++ b/CRM/Report/Form/Activity.php
@@ -62,23 +62,11 @@ class CRM_Report_Form_Activity extends CRM_Report_Form {
     $components = CRM_Core_Component::getEnabledComponents();
     foreach ($components as $componentName => $componentInfo) {
       // CRM-19201: Add support for reporting CiviCampaign activities
-      // "access all cases and activities" is used here rather than "access my
-      // cases and activities" to prevent those with only the later permission
-      // from seeing a list of all cases which might present a privacy issue.
-      switch ($componentName) {
-        case 'CiviCase':
-          $perm = "access all cases and activities";
-          break;
-
-        case 'CiviCampaign':
-          $perm = "administer $componentName";
-          break;
-
-        default:
-          $perm = "access $componentName";
-          break;
-      }
-      if (CRM_Core_Permission::check($perm)) {
+      // For CiviCase, "access all cases and activities" is required here
+      // rather than "access my cases and activities" to prevent those with
+      // only the later permission from seeing a list of all cases which might
+      // present a privacy issue.
+      if (CRM_Core_Permission::access($componentName, TRUE, TRUE)) {
         $accessAllowed[] = $componentInfo->componentID;
       }
     }
-- 
2.25.1