From e2d09ab4e131e52b531c149a32b7c7ec4378010c Mon Sep 17 00:00:00 2001 From: Eileen McNaughton Date: Thu, 15 May 2014 17:17:09 +1200 Subject: [PATCH] CRM-14626 fix event acl so that view event info & register for events are 'all' permissions --- CRM/Core/Block.php | 2 ++ CRM/Core/Permission.php | 7 ++++++- CRM/Event/BAO/Event.php | 17 +++++++++++++++-- CRM/Event/Cart/Page/AddToCart.php | 5 +---- CRM/Event/Form/Registration.php | 9 ++++++++- CRM/Event/Page/EventInfo.php | 4 ++-- 6 files changed, 34 insertions(+), 10 deletions(-) diff --git a/CRM/Core/Block.php b/CRM/Core/Block.php index bbf5ec6e52..5deb7a95bd 100644 --- a/CRM/Core/Block.php +++ b/CRM/Core/Block.php @@ -549,6 +549,8 @@ class CRM_Core_Block { $session = CRM_Core_Session::singleton(); // check if registration link should be displayed foreach ($info as $id => $event) { + //@todo FIXME - validRegistraionRequest takes eventID not contactID as a param + // this is called via an obscure patch from Joomla event block rendering (only) $info[$id]['onlineRegistration'] = CRM_Event_BAO_Event::validRegistrationRequest($event, $session->get('userID') ); diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php index fc5245ae43..d3f158ab9b 100644 --- a/CRM/Core/Permission.php +++ b/CRM/Core/Permission.php @@ -313,7 +313,12 @@ class CRM_Core_Permission { } } - public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL) { + public static function event($type = CRM_Core_Permission::VIEW, $eventID = NULL, $context = '') { + if(!empty($context)) { + if(CRM_Core_Permission::check($context)) { + return TRUE; + } + } $events = CRM_Event_PseudoConstant::event(NULL, TRUE); $includeEvents = array(); diff --git a/CRM/Event/BAO/Event.php b/CRM/Event/BAO/Event.php index 72b569fec7..71a76376e4 100644 --- a/CRM/Event/BAO/Event.php +++ b/CRM/Event/BAO/Event.php @@ -809,6 +809,12 @@ WHERE civicrm_event.is_active = 1 } // check 'view event info' permission + //@todo - per CRM-14626 we have resolved that 'view event info' means 'view ALL event info' + // and passing in the specific permission here will short-circuit the evaluation of permission to + // see specific events (doesn't seem relevant to this call + // however, since this function is accessed only by a convoluted call from a joomla block function + // it seems safer not to touch here. Suggestion is that CRM_Core_Permission::check(array or relevant permissions) would + // be clearer & safer here $permissions = CRM_Core_Permission::event(CRM_Core_Permission::VIEW); // check if we're in shopping cart mode for events @@ -1800,10 +1806,17 @@ WHERE ce.loc_block_id = $locBlockId"; return CRM_Core_DAO::singleValueQuery($query); } - static function validRegistrationRequest($values, $contactID) { + /** + * Check if event registration is valid according to permissions AND Dates + * + * @param array $values + * @param integer $eventID + * @return boolean + */ + static function validRegistrationRequest($values, $eventID) { // check that the user has permission to register for this event $hasPermission = CRM_Core_Permission::event(CRM_Core_Permission::EDIT, - $contactID + $eventID, 'register for events' ); return $hasPermission && self::validRegistrationDate($values); diff --git a/CRM/Event/Cart/Page/AddToCart.php b/CRM/Event/Cart/Page/AddToCart.php index 6311f964a5..f22f3fd480 100644 --- a/CRM/Event/Cart/Page/AddToCart.php +++ b/CRM/Event/Cart/Page/AddToCart.php @@ -4,12 +4,9 @@ class CRM_Event_Cart_Page_AddToCart extends CRM_Core_Page { $transaction = new CRM_Core_Transaction(); $this->_id = CRM_Utils_Request::retrieve('id', 'Positive', $this, TRUE); - if (!CRM_Core_Permission::check('register for events')) { + if (!CRM_Core_Permission::event(CRM_Core_Permission::VIEW, $this->_id, 'register for events')) { CRM_Core_Error::fatal(ts('You do not have permission to register for this event')); } - if (!CRM_Core_Permission::event(CRM_Core_Permission::VIEW, $this->_id)) { - CRM_Core_Error::fatal(ts('You cannot register for an event you do not have permission to view')); - } $cart = CRM_Event_Cart_BAO_Cart::find_or_create_for_current_session(); $event_in_cart = $cart->add_event($this->_id); diff --git a/CRM/Event/Form/Registration.php b/CRM/Event/Form/Registration.php index 5a234b24e5..1072a9efec 100644 --- a/CRM/Event/Form/Registration.php +++ b/CRM/Event/Form/Registration.php @@ -243,7 +243,7 @@ class CRM_Event_Form_Registration extends CRM_Core_Form { ); // this is the first time we are hitting this, so check for permissions here - if (!CRM_Core_Permission::event(CRM_Core_Permission::EDIT, $this->_eventId)) { + if (!CRM_Core_Permission::event(CRM_Core_Permission::EDIT, $this->_eventId, 'register for events')) { CRM_Core_Error::statusBounce(ts('You do not have permission to register for this event'), $infoUrl); } @@ -1327,6 +1327,13 @@ WHERE v.option_group_id = g.id } } + /** + * @todo - combine this with CRM_Event_BAO_Event::validRegistrationRequest + * (probably extract relevant values here & call that with them & handle bounces & redirects here -as + * those belong in the form layer) + * + * @param string $redirect + */ function checkValidEvent($redirect = NULL) { // is the event active (enabled)? if (!$this->_values['event']['is_active']) { diff --git a/CRM/Event/Page/EventInfo.php b/CRM/Event/Page/EventInfo.php index 2c2eff783c..1e9723564e 100644 --- a/CRM/Event/Page/EventInfo.php +++ b/CRM/Event/Page/EventInfo.php @@ -55,7 +55,7 @@ class CRM_Event_Page_EventInfo extends CRM_Core_Page { $config = CRM_Core_Config::singleton(); // ensure that the user has permission to see this page if (!CRM_Core_Permission::event(CRM_Core_Permission::VIEW, - $this->_id + $this->_id, 'view event info' )) { CRM_Utils_System::setUFMessage(ts('You do not have permission to view this event')); return CRM_Utils_System::permissionDenied(); @@ -90,7 +90,7 @@ class CRM_Event_Page_EventInfo extends CRM_Core_Page { // Add Event Type to $values in case folks want to display it $values['event']['event_type'] = CRM_Utils_Array::value($values['event']['event_type_id'], CRM_Event_PseudoConstant::eventType()); - + $this->assign('isShowLocation', CRM_Utils_Array::value('is_show_location', $values['event'])); // show event fees. -- 2.25.1