From e68f2900901898b3794d0eecf7fb4e05173b2f6e Mon Sep 17 00:00:00 2001
From: Web Access <rohan.katkar@webaccessglobal.com>
Date: Fri, 10 Jul 2015 18:36:17 +0530
Subject: [PATCH] Additional changes

---
 CRM/Admin/Page/ScheduleReminders.php    |  6 ++++++
 CRM/Core/DAO/permissions.php            | 11 +++++++++++
 Civi/API/Subscriber/PermissionCheck.php | 11 +++++++++++
 3 files changed, 28 insertions(+)

diff --git a/CRM/Admin/Page/ScheduleReminders.php b/CRM/Admin/Page/ScheduleReminders.php
index 3f965e0486..6a4ea9ba8b 100644
--- a/CRM/Admin/Page/ScheduleReminders.php
+++ b/CRM/Admin/Page/ScheduleReminders.php
@@ -136,6 +136,12 @@ class CRM_Admin_Page_ScheduleReminders extends CRM_Core_Page_Basic {
    * @return void
    */
   public function browse($action = NULL) {
+    //CRM-16777: Do not permit access to user, for page 'Administer->Communication->Schedule Reminder',
+    //when do not have 'administer CiviCRM' permission.
+    if (!CRM_Core_Permission::check('administer CiviCRM')) {
+      CRM_Core_Error::fatal(ts('You do not have permission to access this page.'));
+    }
+
     // Get list of configured reminders
     $reminderList = CRM_Core_BAO_ActionSchedule::getList();
 
diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php
index d71a45f6bf..661570ab62 100644
--- a/CRM/Core/DAO/permissions.php
+++ b/CRM/Core/DAO/permissions.php
@@ -431,6 +431,17 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
       'edit pledges',
     ),
   );
+
+  //CRM-16777: Disable schedule reminder for user that have 'edit all events' and 'administer CiviCRM' permission.
+  $permissions['action_schedule'] = array(
+    'update' => array(
+      array(
+        'access CiviCRM',
+        'edit all events',
+      ),
+    ),
+  );
+
   $permissions['pledge_payment'] = array(
     'create' => array(
       'access CiviCRM',
diff --git a/Civi/API/Subscriber/PermissionCheck.php b/Civi/API/Subscriber/PermissionCheck.php
index 5801f88226..aac7bcb106 100644
--- a/Civi/API/Subscriber/PermissionCheck.php
+++ b/Civi/API/Subscriber/PermissionCheck.php
@@ -106,6 +106,17 @@ class PermissionCheck implements EventSubscriberInterface {
           return TRUE;
         }
         break;
+
+      //CRM-16777: Disable schedule reminder with ACLs.
+      case 'ActionSchedule':
+        $events = \CRM_Event_BAO_Event::getEvents();
+        $aclEdit = \CRM_ACL_API::group(\CRM_Core_Permission::EDIT, NULL, 'civicrm_event', $events);
+        $param = array('id'=>$apiRequest['params']['id']);
+        $eventId = \CRM_Core_BAO_ActionSchedule::retrieve($param, $value = array());
+        if (in_array($eventId->entity_value, $aclEdit)) {
+          return TRUE;
+        }
+        break;
     }
 
     return FALSE;
-- 
2.25.1