From ecfbf8f42730df5c9b933552d5ffcd4c2f02907c Mon Sep 17 00:00:00 2001
From: Eileen McNaughton <emcnaughton@wikimedia.org>
Date: Thu, 14 Dec 2023 19:09:39 +1300
Subject: [PATCH] Move implementation of financial type acl out of core
 (leverage existing extension hooks)

---
 CRM/Contribute/Form/Contribution.php | 19 +++++---------
 CRM/Contribute/Form/Task/Delete.php  | 38 ++++++++++++----------------
 2 files changed, 23 insertions(+), 34 deletions(-)

diff --git a/CRM/Contribute/Form/Contribution.php b/CRM/Contribute/Form/Contribution.php
index 31b980012d..52e1c26c2c 100644
--- a/CRM/Contribute/Form/Contribution.php
+++ b/CRM/Contribute/Form/Contribution.php
@@ -239,6 +239,13 @@ class CRM_Contribute_Form_Contribution extends CRM_Contribute_Form_AbstractEditP
       CRM_Core_Error::statusBounce(ts('You do not have permission to access this page.'));
     }
 
+    if ($this->_action & CRM_Core_Action::UPDATE && !Contribution::checkAccess()
+      ->setAction('update')
+      ->addValue('id', $this->getContributionID())
+      ->execute()->first()['access']) {
+      CRM_Core_Error::statusBounce(ts('You do not have permission to access this page.'));
+    }
+
     parent::preProcess();
 
     $this->_formType = $_GET['formType'] ?? NULL;
@@ -580,18 +587,6 @@ class CRM_Contribute_Form_Contribution extends CRM_Contribute_Form_AbstractEditP
       ]);
       return;
     }
-
-    // FIXME: This probably needs to be done in preprocess
-    if (CRM_Financial_BAO_FinancialType::isACLFinancialTypeStatus()
-      && $this->_action & CRM_Core_Action::UPDATE
-      && !empty($this->_values['financial_type_id'])
-    ) {
-      $financialTypeID = CRM_Contribute_PseudoConstant::financialType($this->_values['financial_type_id']);
-      CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($this->_id, 'edit');
-      if (!CRM_Core_Permission::check('edit contributions of type ' . $financialTypeID)) {
-        CRM_Core_Error::statusBounce(ts('You do not have permission to access this page.'));
-      }
-    }
     $allPanes = [];
 
     //tax rate from financialType
diff --git a/CRM/Contribute/Form/Task/Delete.php b/CRM/Contribute/Form/Task/Delete.php
index 1b8aa33f98..880fbdade6 100644
--- a/CRM/Contribute/Form/Task/Delete.php
+++ b/CRM/Contribute/Form/Task/Delete.php
@@ -15,6 +15,8 @@
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
 
+use Civi\Api4\Contribution;
+
 /**
  * This class provides the functionality to delete a group of contributions.
  *
@@ -28,13 +30,12 @@ class CRM_Contribute_Form_Task_Delete extends CRM_Contribute_Form_Task {
    *
    * @var bool
    */
-  protected $_single = FALSE;
+  protected bool $_single = FALSE;
 
   /**
    * Build all the data structures needed to build the form.
    */
-  public function preProcess() {
-    //check for delete
+  public function preProcess(): void {
     if (!CRM_Core_Permission::checkActionPermission('CiviContribute', CRM_Core_Action::DELETE)) {
       CRM_Core_Error::statusBounce(ts('You do not have permission to access this page.'));
     }
@@ -43,26 +44,19 @@ class CRM_Contribute_Form_Task_Delete extends CRM_Contribute_Form_Task {
 
   /**
    * Build the form object.
+   *
+   * @throws \CRM_Core_Exception
    */
-  public function buildQuickForm() {
+  public function buildQuickForm(): void {
     $count = 0;
-    if (CRM_Financial_BAO_FinancialType::isACLFinancialTypeStatus()) {
-      foreach ($this->_contributionIds as $key => $id) {
-        $finTypeID = CRM_Core_DAO::getFieldValue('CRM_Contribute_DAO_Contribution', $id, 'financial_type_id');
-        if (!CRM_Core_Permission::check('delete contributions of type ' . CRM_Contribute_PseudoConstant::financialType($finTypeID))) {
-          unset($this->_contributionIds[$key]);
-          $count++;
-        }
-        // Now check for lineItems
-        if ($lineItems = CRM_Price_BAO_LineItem::getLineItemsByContributionID($id)) {
-          foreach ($lineItems as $items) {
-            if (!CRM_Core_Permission::check('delete contributions of type ' . CRM_Contribute_PseudoConstant::financialType($items['financial_type_id']))) {
-              unset($this->_contributionIds[$key]);
-              $count++;
-              break;
-            }
-          }
-        }
+    $this->assign('rows');
+    foreach ($this->_contributionIds as $key => $id) {
+      if (!Contribution::checkAccess()
+        ->setAction('delete')
+        ->addValue('id', $id)
+        ->execute()->first()['access']) {
+        unset($this->_contributionIds[$key]);
+        $count++;
       }
     }
     if ($count && empty($this->_contributionIds)) {
@@ -86,7 +80,7 @@ class CRM_Contribute_Form_Task_Delete extends CRM_Contribute_Form_Task {
   /**
    * Process the form after the input has been submitted and validated.
    */
-  public function postProcess() {
+  public function postProcess(): void {
     $deleted = $failed = 0;
     foreach ($this->_contributionIds as $contributionId) {
       if (CRM_Contribute_BAO_Contribution::deleteContribution($contributionId)) {
-- 
2.25.1