From 53df114261d381ab36069d1a93fead7a0883227d Mon Sep 17 00:00:00 2001
From: Edsel <edsel.lopez@jmaconsulting.biz>
Date: Wed, 1 Apr 2015 17:52:41 +0530
Subject: [PATCH] CIVI-33 Added checks for price sets

---
 CRM/Price/BAO/PriceSet.php | 22 ++++++++++++++++------
 CRM/Price/Form/Field.php   |  5 +++++
 CRM/Price/Form/Set.php     |  6 ++++++
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/CRM/Price/BAO/PriceSet.php b/CRM/Price/BAO/PriceSet.php
index 60a2068abc..9a1241bcb2 100644
--- a/CRM/Price/BAO/PriceSet.php
+++ b/CRM/Price/BAO/PriceSet.php
@@ -446,17 +446,18 @@ WHERE     ct.id = cp.financial_type_id AND
     SELECT
        DISTINCT ( price_set_id ) as id, {$column}
     FROM
-       civicrm_price_field,
-       civicrm_price_set
+       civicrm_price_set s
+       INNER JOIN civicrm_price_field f ON f.price_set_id = s.id
+       INNER JOIN civicrm_price_field_value v ON v.price_field_id = f.id
     WHERE
        civicrm_price_set.id = civicrm_price_field.price_set_id  AND is_quick_config = 0 ";
 
     if (!$withInactive) {
-      $query .= ' AND civicrm_price_set.is_active = 1 ';
+      $query .= ' AND s.is_active = 1 ';
     }
 
     if (self::eventPriceSetDomainID()) {
-      $query .= ' AND civicrm_price_set.domain_id = ' . CRM_Core_Config::domainID();
+      $query .= ' AND s.domain_id = ' . CRM_Core_Config::domainID();
     }
 
     $priceSets = array();
@@ -466,9 +467,18 @@ WHERE     ct.id = cp.financial_type_id AND
       if (!$componentId) {
         return $priceSets;
       }
-      $query .= " AND civicrm_price_set.extends LIKE '%$componentId%' ";
+      $query .= " AND s.extends LIKE '%$componentId%' ";
     }
-
+    // Check permissioned financial types
+    CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($financialType, 'add');
+    if ($financialType) {
+      $types = implode(',' , array_keys($financialType));
+      $query .= ' AND s.financial_type_id IN (' . $types . ') AND v.financial_type_id IN (' . $types . ') ';
+    }
+    else {
+      $query .= " AND 0 "; // Do not display any price sets
+    }
+    $query .= " GROUP BY s.id";
     $dao = CRM_Core_DAO::executeQuery($query);
     while ($dao->fetch()) {
       $priceSets[$dao->id] = $dao->$column;
diff --git a/CRM/Price/Form/Field.php b/CRM/Price/Form/Field.php
index 3917e3c403..3fa34874b6 100644
--- a/CRM/Price/Form/Field.php
+++ b/CRM/Price/Form/Field.php
@@ -182,6 +182,11 @@ class CRM_Price_Form_Field extends CRM_Core_Form {
 
     // Financial Type
     $financialType = CRM_Financial_BAO_FinancialType::getIncomeFinancialType();
+    foreach ($financialType as $finTypeId => $type) {
+      if (!CRM_Core_Permission::check('add contributions of type ' . $type)) {
+        unset($financialType[$finTypeId]);
+      }
+    }
     if (count($financialType)) {
       $this->assign('financialType', $financialType);
     }
diff --git a/CRM/Price/Form/Set.php b/CRM/Price/Form/Set.php
index 2e88a35208..2563ef8da4 100644
--- a/CRM/Price/Form/Set.php
+++ b/CRM/Price/Form/Set.php
@@ -191,6 +191,12 @@ class CRM_Price_Form_Set extends CRM_Core_Form {
     // financial type
     $financialType = CRM_Financial_BAO_FinancialType::getIncomeFinancialType();
 
+    foreach ($financialType as $finTypeId => $type) {
+      if (!CRM_Core_Permission::check('add contributions of type ' . $type)) {
+        unset($financialType[$finTypeId]);
+      }
+    }
+
     $this->add('select', 'financial_type_id',
       ts('Default Financial Type'),
       array('' => ts('- select -')) + $financialType, 'required'
-- 
2.25.1