From 93ab798a06b9a471ce39b98265ce729bbe96a84d Mon Sep 17 00:00:00 2001 From: colemanw Date: Mon, 13 Nov 2023 20:57:26 -0500 Subject: [PATCH] APIv4 - Fix access to case activities for administrators Fixes dev/core#4769 Before: Case administrators with 'access deleted contacts' permission blocked from viewing Case activities in APIv4 After: Permissions work correctly. The problem was the hook logic was incorrectly interpreting empty permissions to mean "no access" when it actually means "unrestricted access". --- ext/civi_case/civi_case.php | 10 ++++++---- tests/phpunit/api/v4/Entity/CaseTest.php | 3 ++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ext/civi_case/civi_case.php b/ext/civi_case/civi_case.php index 43d5b67706..5ba1da28c4 100644 --- a/ext/civi_case/civi_case.php +++ b/ext/civi_case/civi_case.php @@ -25,14 +25,16 @@ function civi_case_civicrm_managed(&$entities, $modules) { */ function civi_case_civicrm_selectWhereClause($entityName, &$clauses, $userId, $conditions) { if ($entityName === 'Activity') { + $casePerms = CRM_Utils_SQL::mergeSubquery('Case'); + if (!$casePerms) { + // Unrestricted access to CiviCase + return; + } // OR group: either it's a non-case activity OR case permissions apply $orGroup = [ 'NOT IN (SELECT activity_id FROM civicrm_case_activity)', + 'IN (SELECT activity_id FROM civicrm_case_activity WHERE case_id ' . implode(' AND case_id ', $casePerms) . ')', ]; - $casePerms = CRM_Utils_SQL::mergeSubquery('Case'); - if ($casePerms) { - $orGroup[] = 'IN (SELECT activity_id FROM civicrm_case_activity WHERE case_id ' . implode(' AND case_id ', $casePerms) . ')'; - } $clauses['id'][] = $orGroup; } } diff --git a/tests/phpunit/api/v4/Entity/CaseTest.php b/tests/phpunit/api/v4/Entity/CaseTest.php index 39cd8d3028..1e2f877364 100644 --- a/tests/phpunit/api/v4/Entity/CaseTest.php +++ b/tests/phpunit/api/v4/Entity/CaseTest.php @@ -257,10 +257,11 @@ class CaseTest extends Api4TestBase { $this->assertCount(1, $result); $this->assertEquals($case1, $result[0]); - // CiviCase permission for all cases + // CiviCase permission for all contacts and cases \CRM_Core_Config::singleton()->userPermissionClass->permissions = [ 'access CiviCRM', 'view all contacts', + 'access deleted contacts', 'access all cases and activities', 'administer CiviCase', ]; -- 2.25.1