From eba13f6d64a543c34fda46bb04adf8f429b8bcc3 Mon Sep 17 00:00:00 2001 From: Edsel Date: Wed, 10 Feb 2016 16:58:58 +0530 Subject: [PATCH] CRM-16259 CIVI-3 Modified permission checks for payment api ---------------------------------------- * CRM-16259: Create Payment API https://issues.civicrm.org/jira/browse/CRM-16259 --- CRM/Core/DAO/permissions.php | 28 ++++++++++++++++++++++++++++ api/v3/Payment.php | 12 ------------ tests/phpunit/api/v3/PaymentTest.php | 26 ++++++++++---------------- 3 files changed, 38 insertions(+), 28 deletions(-) diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php index f525fe139b..33ca4dc6b7 100644 --- a/CRM/Core/DAO/permissions.php +++ b/CRM/Core/DAO/permissions.php @@ -236,6 +236,34 @@ function _civicrm_api3_permissions($entity, $action, &$params) { ); $permissions['line_item'] = $permissions['contribution']; + // Payment permissions + $permissions['payment'] = array( + 'get' => array( + 'access CiviCRM', + 'access CiviContribute', + ), + 'delete' => array( + 'access CiviCRM', + 'access CiviContribute', + 'delete in CiviContribute', + ), + 'cancel' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + 'create' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + 'default' => array( + 'access CiviCRM', + 'access CiviContribute', + 'edit contributions', + ), + ); + // Custom field permissions $permissions['custom_field'] = array( 'default' => array( diff --git a/api/v3/Payment.php b/api/v3/Payment.php index e7b88ef01a..4de7545221 100644 --- a/api/v3/Payment.php +++ b/api/v3/Payment.php @@ -41,9 +41,6 @@ * Array of financial transactions which are payments, if error an array with an error id and error message */ function civicrm_api3_payment_get($params) { - if (!CRM_Core_Permission::check('access CiviContribute')) { - throw new API_Exception('You do not have permission to access this api'); - } $financialTrxn = array(); $limit = ''; if (isset($params['options']) && CRM_Utils_Array::value('limit', $params['options'])) { @@ -88,9 +85,6 @@ function civicrm_api3_payment_get($params) { * Api result array */ function civicrm_api3_payment_delete(&$params) { - if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('delete in CiviContribute'))) { - throw new API_Exception('You do not have permission to access this api'); - } return civicrm_api3('FinancialTrxn', 'delete', $params); } @@ -105,9 +99,6 @@ function civicrm_api3_payment_delete(&$params) { * Api result array */ function civicrm_api3_payment_cancel(&$params) { - if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('edit contributions'))) { - throw new API_Exception('You do not have permission to access this api'); - } $eftParams = array( 'entity_table' => 'civicrm_contribution', 'financial_trxn_id' => $params['id'], @@ -135,9 +126,6 @@ function civicrm_api3_payment_cancel(&$params) { * Api result array */ function civicrm_api3_payment_create(&$params) { - if (!(CRM_Core_Permission::check('access CiviContribute') && CRM_Core_Permission::check('edit contributions'))) { - throw new API_Exception('You do not have permission to access this api'); - } // Check if it is an update if (CRM_Utils_Array::value('id', $params)) { $amount = $params['total_amount']; diff --git a/tests/phpunit/api/v3/PaymentTest.php b/tests/phpunit/api/v3/PaymentTest.php index d58fc91bf0..df91c8c1ab 100644 --- a/tests/phpunit/api/v3/PaymentTest.php +++ b/tests/phpunit/api/v3/PaymentTest.php @@ -49,8 +49,7 @@ class api_v3_PaymentTest extends CiviUnitTestCase { $this->_apiversion = 3; $this->_individualId = $this->individualCreate(); - $config = CRM_Core_Config::singleton(); - $config->userPermissionClass->permissions = array(); + CRM_Core_Config::singleton()->userPermissionClass->permissions = array(); } /** @@ -59,8 +58,7 @@ class api_v3_PaymentTest extends CiviUnitTestCase { public function tearDown() { $this->quickCleanUpFinancialEntities(); $this->quickCleanup(array('civicrm_uf_match')); - $config = CRM_Core_Config::singleton(); - unset($config->userPermissionClass->permissions); + unset(CRM_Core_Config::singleton()->userPermissionClass->permissions); } /** @@ -81,9 +79,8 @@ class api_v3_PaymentTest extends CiviUnitTestCase { 'contribution_id' => $contribution['id'], 'check_permissions' => TRUE, ); - CRM_Core_Config::singleton()->userPermissionClass->permissions = array('administer CiviCRM'); - $payment = $this->callAPIFailure('payment', 'get', $params); - $this->assertEquals('You do not have permission to access this api', $payment['error_message']); + CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM', 'administer CiviCRM'); + $payment = $this->callAPIFailure('payment', 'get', $params, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and access CiviContribute'); array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviContribute'); @@ -301,10 +298,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase { 'id' => $payment['id'], 'check_permissions' => TRUE, ); - $payment = $this->callAPIFailure('payment', 'cancel', $cancelParams); - $this->assertEquals('You do not have permission to access this api', $payment['error_message']); + $payment = $this->callAPIFailure('payment', 'cancel', $cancelParams, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and edit contributions'); - array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'edit contributions'); + array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'edit contributions'); $this->callAPIAndDocument('payment', 'cancel', $cancelParams, __FUNCTION__, __FILE__); @@ -338,10 +334,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase { 'id' => $payment['id'], 'check_permissions' => TRUE, ); - $payment = $this->callAPIFailure('payment', 'delete', $deleteParams); - $this->assertEquals('You do not have permission to access this api', $payment['error_message']); + $payment = $this->callAPIFailure('payment', 'delete', $deleteParams, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and delete in CiviContribute'); - array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'delete in CiviContribute'); + array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'delete in CiviContribute'); $this->callAPIAndDocument('payment', 'delete', $deleteParams, __FUNCTION__, __FILE__); $payment = $this->callAPIAndDocument('payment', 'get', $params, __FUNCTION__, __FILE__); @@ -393,10 +388,9 @@ class api_v3_PaymentTest extends CiviUnitTestCase { 'id' => $payment['id'], 'check_permissions' => TRUE, ); - $payment = $this->callAPIFailure('payment', 'create', $params); - $this->assertEquals('You do not have permission to access this api', $payment['error_message']); + $payment = $this->callAPIFailure('payment', 'create', $params, 'API permission check failed for Payment/get call; insufficient permission: require access CiviCRM and edit contributions'); - array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'edit contributions'); + array_push(CRM_Core_Config::singleton()->userPermissionClass->permissions, 'access CiviCRM', 'edit contributions'); $payment = $this->callAPIAndDocument('payment', 'create', $params, __FUNCTION__, __FILE__); $params = array( -- 2.25.1