From c108566b66a14f46b0ff9fe10dc3cf4d15ce12ac Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Thu, 16 Jul 2015 21:52:24 -0400
Subject: [PATCH] CRM-16836 - Enforce permissions in group api getoptions

---
 CRM/Contact/BAO/GroupContact.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/CRM/Contact/BAO/GroupContact.php b/CRM/Contact/BAO/GroupContact.php
index d29b3267b5..2a564f3feb 100644
--- a/CRM/Contact/BAO/GroupContact.php
+++ b/CRM/Contact/BAO/GroupContact.php
@@ -799,10 +799,15 @@ AND    contact_id IN ( $contactStr )
 
     $options = CRM_Core_PseudoConstant::get(__CLASS__, $fieldName, $params, $context);
 
-    // Sort group list by hierarchy
-    // TODO: This will only work when api.entity is "group_contact". What about others?
-    if (($fieldName == 'group' || $fieldName == 'group_id') && ($context == 'search' || $context == 'create')) {
-      $options = CRM_Contact_BAO_Group::getGroupsHierarchy($options, NULL, '- ', TRUE);
+    if (($fieldName == 'group' || $fieldName == 'group_id')) {
+      // Enforce group visibility permissions
+      if (!empty($props['check_permissions'])) {
+        $options = CRM_Core_PseudoConstant::group();
+      }
+      if ($context == 'search' || $context == 'create') {
+        // Sort group list by hierarchy
+        $options = CRM_Contact_BAO_Group::getGroupsHierarchy($options, NULL, '- ', TRUE);
+      }
     }
 
     return $options;
-- 
2.25.1