From a0fd420c71ed387e21eb1bffb3b4113b6db5bfac Mon Sep 17 00:00:00 2001
From: jitendrapurohit <jitendra.purohit@webaccessglobal.com>
Date: Fri, 31 Jul 2015 17:20:38 +0530
Subject: [PATCH] CRM-13644 - ACL does not protect group listing (in civiMail
 and other places)

---
 CRM/ACL/API.php  |  3 +++
 api/v3/Group.php | 13 ++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/CRM/ACL/API.php b/CRM/ACL/API.php
index f3681b3fa8..675beb80de 100644
--- a/CRM/ACL/API.php
+++ b/CRM/ACL/API.php
@@ -227,6 +227,9 @@ class CRM_ACL_API {
       $groups = self::group($type, $contactID, $tableName, $allGroups, $includedGroups);
       $cache[$key] = $groups;
     }
+    if (empty($groups)) {
+      return FALSE;
+    }
 
     return in_array($groupID, $groups) ? TRUE : FALSE;
   }
diff --git a/api/v3/Group.php b/api/v3/Group.php
index a5d7cfeb23..37b9567c1e 100644
--- a/api/v3/Group.php
+++ b/api/v3/Group.php
@@ -71,14 +71,17 @@ function _civicrm_api3_group_create_spec(&$params) {
  */
 function civicrm_api3_group_get($params) {
   $options = _civicrm_api3_get_options_from_params($params, TRUE, 'Group', 'get');
-  if (empty($options['return']) || !in_array('member_count', $options['return'])) {
-    return _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params, TRUE, 'Group');
-  }
-
   $groups = _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params, FALSE, 'Group');
   foreach ($groups as $id => $group) {
-    $groups[$id]['member_count'] = CRM_Contact_BAO_Group::memberCount($id);
+    $permission = CRM_Contact_BAO_Group::checkPermission($group['id']);
+    if (!$permission) {
+      unset($groups[$id]);
+    }
+    else if (!empty($options['return']) && in_array('member_count', $options['return'])) {
+      $groups[$id]['member_count'] = CRM_Contact_BAO_Group::memberCount($id);
+    }
   }
+  $groups = array_values($groups);
   return civicrm_api3_create_success($groups, $params, 'Group', 'get');
 }
 
-- 
2.25.1