From 709672c6b29ecf7bd2b7333bad06778f38bad8d9 Mon Sep 17 00:00:00 2001 From: eileen Date: Mon, 22 Mar 2021 11:16:33 +1300 Subject: [PATCH] Remove exposure of implied_permissions beyond class --- CRM/Core/Permission.php | 9 +++++-- .../Subscriber/DynamicFKAuthorizationTest.php | 25 ++++++++++--------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php index a403c9b81f..37c14b0414 100644 --- a/CRM/Core/Permission.php +++ b/CRM/Core/Permission.php @@ -911,12 +911,17 @@ class CRM_Core_Permission { * @return array */ public static function getImpliedPermissionsFor(string $permission): array { + if (in_array($permission[0], ['@', '*'], TRUE)) { + // Special permissions like '*always deny*' - see DynamicFKAuthorizationTest. + // Also '@afform - see AfformUsageTest. + return []; + } $implied = Civi::cache('metadata')->get('implied_permissions', []); if (isset($implied[$permission])) { return $implied[$permission]; } - $implied[$permission] = []; - foreach (self::basicPermissions(FALSE, TRUE) as $key => $details) { + $implied[$permission] = ['all CiviCRM permissions and ACLs']; + foreach (self::getImpliedAdminPermissions() as $key => $details) { if (in_array($permission, $details['implied_permissions'] ?? [], TRUE)) { $implied[$permission][] = $key; } diff --git a/tests/phpunit/Civi/API/Subscriber/DynamicFKAuthorizationTest.php b/tests/phpunit/Civi/API/Subscriber/DynamicFKAuthorizationTest.php index 0934a626d2..c69c3e4fb2 100644 --- a/tests/phpunit/Civi/API/Subscriber/DynamicFKAuthorizationTest.php +++ b/tests/phpunit/Civi/API/Subscriber/DynamicFKAuthorizationTest.php @@ -2,6 +2,7 @@ namespace Civi\API\Subscriber; use Civi\API\Kernel; +use Civi\API\Provider\StaticProvider; use Symfony\Component\EventDispatcher\EventDispatcher; /** @@ -27,12 +28,12 @@ class DynamicFKAuthorizationTest extends \CiviUnitTestCase { */ public $kernel; - protected function setUp() { + protected function setUp(): void { parent::setUp(); \CRM_Core_DAO_AllCoreTables::init(TRUE); \CRM_Core_DAO_AllCoreTables::registerEntityType('FakeFile', 'CRM_Fake_DAO_FakeFile', 'fake_file'); - $fileProvider = new \Civi\API\Provider\StaticProvider( + $fileProvider = new StaticProvider( 3, 'FakeFile', ['id', 'entity_table', 'entity_id'], @@ -44,7 +45,7 @@ class DynamicFKAuthorizationTest extends \CiviUnitTestCase { ); \CRM_Core_DAO_AllCoreTables::registerEntityType('Widget', 'CRM_Fake_DAO_Widget', 'fake_widget'); - $widgetProvider = new \Civi\API\Provider\StaticProvider(3, 'Widget', + $widgetProvider = new StaticProvider(3, 'Widget', ['id', 'title'], [], [ @@ -53,7 +54,7 @@ class DynamicFKAuthorizationTest extends \CiviUnitTestCase { ); \CRM_Core_DAO_AllCoreTables::registerEntityType('Forbidden', 'CRM_Fake_DAO_Forbidden', 'fake_forbidden'); - $forbiddenProvider = new \Civi\API\Provider\StaticProvider( + $forbiddenProvider = new StaticProvider( 3, 'Forbidden', ['id', 'label'], @@ -90,18 +91,18 @@ class DynamicFKAuthorizationTest extends \CiviUnitTestCase { else null end as entity_table, case %1 - when " . self::FILE_WIDGET_ID . " then " . self::WIDGET_ID . " - when " . self::FILE_FORBIDDEN_ID . " then " . self::FORBIDDEN_ID . " + when " . self::FILE_WIDGET_ID . ' then ' . self::WIDGET_ID . ' + when ' . self::FILE_FORBIDDEN_ID . ' then ' . self::FORBIDDEN_ID . ' else null end as entity_id - ", + ', // Get a list of custom fields (field_name,table_name,extends) - "select", + 'select', ['fake_widget', 'fake_forbidden'] )); } - protected function tearDown() { + protected function tearDown(): void { parent::tearDown(); \CRM_Core_DAO_AllCoreTables::init(TRUE); } @@ -196,10 +197,10 @@ class DynamicFKAuthorizationTest extends \CiviUnitTestCase { } /** - * @param $entity - * @param $action + * @param string $entity + * @param int $action * @param array $params - * @param $expectedError + * @param array $expectedError * @dataProvider badDataProvider */ public function testBad($entity, $action, $params, $expectedError) { -- 2.25.1