From ee117e9c6e3e870da617844e9060cdbce81fb0ec Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Tue, 4 Feb 2014 15:02:51 -0800 Subject: [PATCH] CRM-13889 - api_v3_DashboardContact - Fix validation The validation of dashboard_id implicitly involved a permission-check. This permission-check would be wrong in some cases (eg running a drush script without any particular user), but it could be right in other cases (eg issuing an AJAX call). --- CRM/Core/BAO/Dashboard.php | 5 +++-- api/v3/DashboardContact.php | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CRM/Core/BAO/Dashboard.php b/CRM/Core/BAO/Dashboard.php index 0f5dcca112..37c3596ef4 100644 --- a/CRM/Core/BAO/Dashboard.php +++ b/CRM/Core/BAO/Dashboard.php @@ -42,12 +42,13 @@ class CRM_Core_BAO_Dashboard extends CRM_Core_DAO_Dashboard { * Get the list of dashlets enabled by admin * * @param boolean $all all or only active + * @param boolean $checkPermission all or only authorized for the current user * * @return array $widgets array of dashlets * @access public * @static */ - static function getDashlets($all = TRUE) { + static function getDashlets($all = TRUE, $checkPermission = TRUE) { $dashlets = array(); $dao = new CRM_Core_DAO_Dashboard(); @@ -59,7 +60,7 @@ class CRM_Core_BAO_Dashboard extends CRM_Core_DAO_Dashboard { $dao->find(); while ($dao->fetch()) { - if (!self::checkPermission($dao->permission, $dao->permission_operator)) { + if ($checkPermission && !self::checkPermission($dao->permission, $dao->permission_operator)) { continue; } diff --git a/api/v3/DashboardContact.php b/api/v3/DashboardContact.php index f7f7ba6c1d..2784bd42a5 100644 --- a/api/v3/DashboardContact.php +++ b/api/v3/DashboardContact.php @@ -86,9 +86,9 @@ function _civicrm_api3_dashboard_contact_create_spec(&$params) { function _civicrm_api3_dashboard_contact_check_params(&$params) { $dashboard_id = CRM_Utils_Array::value('dashboard_id', $params); if ($dashboard_id) { - $allDashlets = CRM_Core_BAO_Dashboard::getDashlets(); + $allDashlets = CRM_Core_BAO_Dashboard::getDashlets(TRUE, CRM_Utils_Array::value('check_permissions', $params, 0)); if (!isset($allDashlets[$dashboard_id])) { - return civicrm_api3_create_error('Invalid Dashboard ID'); + return civicrm_api3_create_error('Invalid or inaccessible dashboard ID'); } } return NULL; -- 2.25.1