From ae2ade98e2578a401f852437480331adc4406ff8 Mon Sep 17 00:00:00 2001 From: eileen Date: Wed, 19 Dec 2018 18:17:40 +1300 Subject: [PATCH] Do not check financial permissions on contribution.create if check_permissions is FALSE. Our standard is to only check permissions at the api layer if check_permissions is TRUE (which is is by default for javascript calls but not in php calls) --- api/v3/Contribution.php | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/api/v3/Contribution.php b/api/v3/Contribution.php index a52600f6d8..d24adbf1b5 100644 --- a/api/v3/Contribution.php +++ b/api/v3/Contribution.php @@ -56,7 +56,7 @@ function civicrm_api3_contribution_create(&$params) { } $params['skipCleanMoney'] = TRUE; - if (CRM_Financial_BAO_FinancialType::isACLFinancialTypeStatus()) { + if (!empty($params['check_permissions']) && CRM_Financial_BAO_FinancialType::isACLFinancialTypeStatus()) { if (empty($params['id'])) { $op = CRM_Core_Action::ADD; } @@ -68,7 +68,7 @@ function civicrm_api3_contribution_create(&$params) { } CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($types, $op); if (!in_array($params['financial_type_id'], array_keys($types))) { - return civicrm_api3_create_error('You do not have permission to create this contribution'); + throw new API_Exception('You do not have permission to create this contribution'); } } if (!empty($params['id']) && !empty($params['contribution_status_id'])) { @@ -214,6 +214,7 @@ function _civicrm_api3_contribution_create_legacy_support_45(&$params) { * Input parameters. * * @return array + * @throws \API_Exception */ function civicrm_api3_contribution_delete($params) { @@ -221,11 +222,13 @@ function civicrm_api3_contribution_delete($params) { // First check contribution financial type $financialType = CRM_Core_DAO::getFieldValue('CRM_Contribute_DAO_Contribution', $contributionID, 'financial_type_id'); // Now check permissioned lineitems & permissioned contribution - if (CRM_Financial_BAO_FinancialType::isACLFinancialTypeStatus() - && !CRM_Core_Permission::check('delete contributions of type ' . CRM_Contribute_PseudoConstant::financialType($financialType)) || - !CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($contributionID, 'delete', FALSE) + if (!empty($params['check_permissions']) && CRM_Financial_BAO_FinancialType::isACLFinancialTypeStatus() && + ( + !CRM_Core_Permission::check('delete contributions of type ' . CRM_Contribute_PseudoConstant::financialType($financialType)) + || !CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($contributionID, 'delete', FALSE) + ) ) { - return civicrm_api3_create_error('You do not have permission to delete this contribution'); + throw new API_Exception('You do not have permission to delete this contribution'); } if (CRM_Contribute_BAO_Contribution::deleteContribution($contributionID)) { return civicrm_api3_create_success(array($contributionID => 1)); -- 2.25.1