From 4dc781056eff5f9c151ab299c8311066bebd2c2b Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Fri, 8 Jan 2016 17:29:46 -0500 Subject: [PATCH] CRM-17795 - Refine api permissions Improves permissions for relationship, address, email, phone, website, im, loc_block --- CRM/Contact/BAO/Relationship.php | 15 +++++++++++++++ CRM/Core/DAO/permissions.php | 21 ++++++++++----------- 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/CRM/Contact/BAO/Relationship.php b/CRM/Contact/BAO/Relationship.php index 8f4c19f378..9b2319031a 100644 --- a/CRM/Contact/BAO/Relationship.php +++ b/CRM/Contact/BAO/Relationship.php @@ -2101,4 +2101,19 @@ AND cc.sort_name LIKE '%$name%'"; return $relationshipsDT; } + /** + * @inheritDoc + */ + public function apiWhereClause($tableAlias) { + // Generate an acl clause for both contacts in the relationship + $clauses = array(); + foreach (array('a', 'b') as $a) { + $clause = CRM_Contact_BAO_Contact_Permission::cacheSubquery("`$tableAlias`.contact_id_$a"); + if ($clause !== NULL) { + $clauses[] = $clause; + } + } + return $clauses ? implode(' AND ', $clauses) : NULL; + } + } diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php index 96597a7935..8663778a5e 100644 --- a/CRM/Core/DAO/permissions.php +++ b/CRM/Core/DAO/permissions.php @@ -108,10 +108,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) { // Contact-related data permissions. // CRM-14094 - Users can edit and delete contact-related objects using inline edit with 'edit all contacts' permission $permissions['address'] = array( - 'get' => array( - 'access CiviCRM', - 'view all contacts', - ), + // get is managed by BAO::apiWhereClause + 'get' => array(), 'default' => array( 'access CiviCRM', 'edit all contacts', @@ -121,9 +119,10 @@ function _civicrm_api3_permissions($entity, $action, &$params) { $permissions['phone'] = $permissions['address']; $permissions['website'] = $permissions['address']; $permissions['im'] = $permissions['address']; - $permissions['loc_block'] = $permissions['address']; - $permissions['entity_tag'] = $permissions['address']; - $permissions['note'] = $permissions['address']; + // @todo - implement CRM_Core_BAO_EntityTag::apiWhereClause and remove this heavy-handed restriction + $permissions['entity_tag'] = array('get' => array('access CiviCRM', 'view all contacts')) + $permissions['address']; + // @todo - ditto + $permissions['note'] = $permissions['entity_tag']; // Allow non-admins to get and create tags to support tagset widget // Delete is still reserved for admins @@ -135,10 +134,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) { //relationship permissions $permissions['relationship'] = array( - 'get' => array( - 'access CiviCRM', - 'view all contacts', - ), + // get is managed by BAO::apiWhereClause + 'get' => array(), 'delete' => array( 'access CiviCRM', 'edit all contacts', @@ -250,6 +247,8 @@ function _civicrm_api3_permissions($entity, $action, &$params) { 'edit all events', ), ); + // Loc block is only used for events + $permissions['loc_block'] = $permissions['event']; // File permissions $permissions['file'] = array( -- 2.25.1