From d911078871db176b833932e717bd4dc5c3b3db17 Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Thu, 21 Jan 2016 15:34:57 -0500 Subject: [PATCH] CRM-17645 - Support either 'access my' or 'access all' cases in api permissions --- CRM/Core/DAO/permissions.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php index 3c81f7d83b..e9a9ffca85 100644 --- a/CRM/Core/DAO/permissions.php +++ b/CRM/Core/DAO/permissions.php @@ -27,7 +27,6 @@ /** * Decide what permissions to check for an api call - * The contact must have all of the returned permissions for the api call to be allowed * * @param $entity : (str) api entity * @param $action : (str) api action @@ -54,6 +53,9 @@ function _civicrm_api3_permissions($entity, $action, &$params) { * * default: catch-all for anything not declared * * Note: some APIs declare other actions as well + * + * Permissions should use arrays for AND and arrays of arrays for OR + * @see CRM_Core_Permission::check for more documentation */ $permissions = array(); @@ -177,15 +179,18 @@ function _civicrm_api3_permissions($entity, $action, &$params) { 'delete in CiviCase', ), 'default' => array( - // This is the minimum permission needed. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause - 'access my cases and activities', + // At minimum the user needs one of the following. Finer-grained access is controlled by CRM_Case_BAO_Case::addSelectWhereClause + array('access my cases and activities', 'access all cases and activities'), ), ); $permissions['case_contact'] = $permissions['case']; $permissions['case_type'] = array( 'default' => array('administer CiviCase'), - 'get' => array('access my cases and activities'), + 'get' => array( + // nested array = OR + array('access my cases and activities', 'access all cases and activities'), + ), ); // Campaign permissions -- 2.25.1