From e26bc72e5e732cb6226edd0718f0df484f952ed0 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Wed, 27 Nov 2019 06:41:41 +1100 Subject: [PATCH] Conditionally add metadata for advanced search only if the user has access for searching to that perticular component --- CRM/Contact/Form/Search.php | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/CRM/Contact/Form/Search.php b/CRM/Contact/Form/Search.php index a225db1225..f62137c658 100644 --- a/CRM/Contact/Form/Search.php +++ b/CRM/Contact/Form/Search.php @@ -906,16 +906,30 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search { return ts('Search'); } + /** + * Check Access for a component + * @param string $component + * @return bool + */ + protected static function checkComponentAccess($component) { + $enabledComponents = CRM_Core_Component::getEnabledComponents(); + if (!array_key_exists($component, $enabledComponents)) { + return FALSE; + } + return CRM_Core_Permission::access($component); + } + /** * Load metadata for fields on the form. * * @throws \CiviCRM_API3_Exception */ protected function loadMetadata() { - // @todo - check what happens if the person does not have 'access civicontribute' - make sure they // can't by pass acls by passing search criteria in the url. - $this->addSearchFieldMetadata(['Contribution' => CRM_Contribute_BAO_Query::getSearchFieldMetadata()]); - $this->addSearchFieldMetadata(['ContributionRecur' => CRM_Contribute_BAO_ContributionRecur::getContributionRecurSearchFieldMetadata()]); + if (self::checkComponentAccess('CiviContribute')) { + $this->addSearchFieldMetadata(['Contribution' => CRM_Contribute_BAO_Query::getSearchFieldMetadata()]); + $this->addSearchFieldMetadata(['ContributionRecur' => CRM_Contribute_BAO_ContributionRecur::getContributionRecurSearchFieldMetadata()]); + } } } -- 2.25.1