From 58f23040d515690aa31779a9e76165b63682ba73 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Sun, 21 Aug 2022 19:29:51 -0400
Subject: [PATCH] API - Standardize group ACL checks

Fixes dev/core#2667

Implements a standard BAO::addSelectWhereClause() function for checking group ACLs.
This fixes setting a limit in APIv3, and fixes ACLs for v4.
---
 CRM/Contact/BAO/Group.php          | 16 ++++++++++++++++
 api/v3/Group.php                   |  3 ---
 tests/phpunit/api/v3/GroupTest.php |  6 ++++--
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/CRM/Contact/BAO/Group.php b/CRM/Contact/BAO/Group.php
index b7e0397610..a7720eaee8 100644
--- a/CRM/Contact/BAO/Group.php
+++ b/CRM/Contact/BAO/Group.php
@@ -316,6 +316,22 @@ class CRM_Contact_BAO_Group extends CRM_Contact_DAO_Group {
     return $permissions;
   }
 
+  /**
+   * @inheritDoc
+   */
+  public function addSelectWhereClause() {
+    $clauses = [];
+    if (!CRM_Core_Permission::check([['edit all contacts', 'view all contacts']])) {
+      $allGroups = CRM_Core_PseudoConstant::allGroup(NULL, FALSE);
+      // FIXME: TableName 'civicrm_saved_search' seems wrong but is consistent with self::checkPermission
+      $allowedGroups = \CRM_ACL_API::group(CRM_ACL_API::VIEW, NULL, 'civicrm_saved_search', $allGroups);
+      $groupsIn = $allowedGroups ? implode(',', $allowedGroups) : '0';
+      $clauses['id'][] = "IN ($groupsIn)";
+    }
+    CRM_Utils_Hook::selectWhereClause($this, $clauses);
+    return $clauses;
+  }
+
   /**
    * Create a new group.
    *
diff --git a/api/v3/Group.php b/api/v3/Group.php
index a963122f73..6ebd4ded37 100644
--- a/api/v3/Group.php
+++ b/api/v3/Group.php
@@ -63,9 +63,6 @@ function civicrm_api3_group_get($params) {
 
   $groups = _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params, FALSE, 'Group');
   foreach ($groups as $id => $group) {
-    if (!empty($params['check_permissions']) && !CRM_Contact_BAO_Group::checkPermission($group['id'])) {
-      unset($groups[$id]);
-    }
     if (!empty($options['return']) && in_array('member_count', $options['return'])) {
       $groups[$id]['member_count'] = CRM_Contact_BAO_Group::memberCount($id);
     }
diff --git a/tests/phpunit/api/v3/GroupTest.php b/tests/phpunit/api/v3/GroupTest.php
index 4a9f8aa211..b335a5b695 100644
--- a/tests/phpunit/api/v3/GroupTest.php
+++ b/tests/phpunit/api/v3/GroupTest.php
@@ -336,9 +336,11 @@ class api_v3_GroupTest extends CiviUnitTestCase {
 
   /**
    * Test that ACLs are applied to group.get calls.
-   * FIXME: Api4
+   * @param int $version
+   * @dataProvider versionThreeAndFour
    */
-  public function testGroupGetACLs() {
+  public function testGroupGetACLs($version) {
+    $this->_apiversion = $version;
     $this->createLoggedInUser();
     CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM'];
     $this->callAPISuccessGetCount('Group', ['check_permissions' => 1], 0);
-- 
2.25.1