From aedb9de5bb2de3966085a12579ef8df2d4950ef4 Mon Sep 17 00:00:00 2001
From: demeritcowboy <demeritcowboy@hotmail.com>
Date: Tue, 1 Mar 2022 16:21:05 -0500
Subject: [PATCH] don't crash for users without participant permissions when
 viewing contributions

---
 CRM/Contribute/Form/ContributionView.php      | 40 +++++++------
 .../Contribute/Form/ContributionViewTest.php  | 58 +++++++++++++++++++
 2 files changed, 80 insertions(+), 18 deletions(-)
 create mode 100644 tests/phpunit/CRM/Contribute/Form/ContributionViewTest.php

diff --git a/CRM/Contribute/Form/ContributionView.php b/CRM/Contribute/Form/ContributionView.php
index aa54df0c83..610d9a6397 100644
--- a/CRM/Contribute/Form/ContributionView.php
+++ b/CRM/Contribute/Form/ContributionView.php
@@ -90,26 +90,30 @@ class CRM_Contribute_Form_ContributionView extends CRM_Core_Form {
       }
     }
 
-    $participantLineItems = \Civi\Api4\LineItem::get()
-      ->addSelect('entity_id', 'participant.role_id:label', 'participant.fee_level', 'participant.contact_id', 'contact.display_name')
-      ->addJoin('Participant AS participant', 'LEFT', ['participant.id', '=', 'entity_id'])
-      ->addJoin('Contact AS contact', 'LEFT', ['contact.id', '=', 'participant.contact_id'])
-      ->addWhere('entity_table', '=', 'civicrm_participant')
-      ->addWhere('contribution_id', '=', $id)
-      ->execute();
+    try {
+      $participantLineItems = \Civi\Api4\LineItem::get()
+        ->addSelect('entity_id', 'participant.role_id:label', 'participant.fee_level', 'participant.contact_id', 'contact.display_name')
+        ->addJoin('Participant AS participant', 'LEFT', ['participant.id', '=', 'entity_id'])
+        ->addJoin('Contact AS contact', 'LEFT', ['contact.id', '=', 'participant.contact_id'])
+        ->addWhere('entity_table', '=', 'civicrm_participant')
+        ->addWhere('contribution_id', '=', $id)
+        ->execute();
+    }
+    catch (API_Exception $e) {
+      // likely don't have permission for events/participants
+      $participantLineItems = [];
+    }
 
     $associatedParticipants = FALSE;
-    if ($participantLineItems->count()) {
-      foreach ($participantLineItems as $participant) {
-        $associatedParticipants[] = [
-          'participantLink' => CRM_Utils_System::url('civicrm/contact/view/participant',
-            "action=view&reset=1&id={$participant['entity_id']}&cid={$participant['participant.contact_id']}&context=home"
-          ),
-          'participantName' => $participant['contact.display_name'],
-          'fee' => implode(', ', $participant['participant.fee_level']),
-          'role' => implode(', ', $participant['participant.role_id:label']),
-        ];
-      }
+    foreach ($participantLineItems as $participant) {
+      $associatedParticipants[] = [
+        'participantLink' => CRM_Utils_System::url('civicrm/contact/view/participant',
+          "action=view&reset=1&id={$participant['entity_id']}&cid={$participant['participant.contact_id']}&context=home"
+        ),
+        'participantName' => $participant['contact.display_name'],
+        'fee' => implode(', ', $participant['participant.fee_level']),
+        'role' => implode(', ', $participant['participant.role_id:label']),
+      ];
     }
     $this->assign('associatedParticipants', $associatedParticipants);
 
diff --git a/tests/phpunit/CRM/Contribute/Form/ContributionViewTest.php b/tests/phpunit/CRM/Contribute/Form/ContributionViewTest.php
new file mode 100644
index 0000000000..bf7d275924
--- /dev/null
+++ b/tests/phpunit/CRM/Contribute/Form/ContributionViewTest.php
@@ -0,0 +1,58 @@
+<?php
+/*
+ +--------------------------------------------------------------------+
+ | Copyright CiviCRM LLC. All rights reserved.                        |
+ |                                                                    |
+ | This work is published under the GNU AGPLv3 license with some      |
+ | permitted exceptions and without any warranty. For full license    |
+ | and copyright information, see https://civicrm.org/licensing       |
+ +--------------------------------------------------------------------+
+ */
+
+/**
+ * @group headless
+ */
+class CRM_Contribute_Form_ContributionViewTest extends CiviUnitTestCase {
+
+  /**
+   * Test that can still view a contribution without full permissions.
+   */
+  public function testContributionViewLimitedPermissions() {
+    CRM_Core_Config::singleton()->userPermissionClass->permissions = [
+      'access CiviCRM',
+      'access all custom data',
+      'edit all contacts',
+      'access CiviContribute',
+      'edit contributions',
+      'delete in CiviContribute',
+    ];
+    $contact_id = $this->individualCreate();
+    $contribution = $this->callAPISuccess('Contribution', 'create', [
+      'contact_id' => $contact_id,
+      'financial_type_id' => 'Donation',
+      'total_amount' => '10',
+    ]);
+
+    $_SERVER['REQUEST_URI'] = "civicrm/contact/view/contribution?reset=1&action=view&id={$contribution['id']}&cid={$contact_id}";
+    $_GET['q'] = $_REQUEST['q'] = 'civicrm/contact/view/contribution';
+    $_GET['reset'] = $_REQUEST['reset'] = 1;
+    $_GET['action'] = $_REQUEST['action'] = 'view';
+    $_GET['id'] = $_REQUEST['id'] = $contribution['id'];
+    $_GET['cid'] = $_REQUEST['cid'] = $contact_id;
+
+    $item = CRM_Core_Invoke::getItem(['civicrm/contact/view/contribution']);
+    ob_start();
+    CRM_Core_Invoke::runItem($item);
+    $contents = ob_get_clean();
+
+    unset($_GET['q'], $_REQUEST['q']);
+    unset($_GET['reset'], $_REQUEST['reset']);
+    unset($_GET['action'], $_REQUEST['action']);
+    unset($_GET['id'], $_REQUEST['id']);
+    unset($_GET['cid'], $_REQUEST['cid']);
+
+    $this->assertRegExp('/Contribution Total:\s+\$10\.00/', $contents);
+    $this->assertStringContainsString('Mr. Anthony Anderson II', $contents);
+  }
+
+}
-- 
2.25.1