From ef9927cd334b7b2d0f27991645b59e6a6cffaee3 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Tue, 16 Dec 2014 22:25:58 -0800
Subject: [PATCH] CRM-15713 - CRM_Case_BAO_Case::accessCase - Split off from
 getCases().

This allows us to explicit control over more parameters (eg case_status_id)
and to improve performance (by focusing on the specific $caseId).
---
 CRM/Case/BAO/Case.php  | 27 ++++++++++++++++++++++++---
 CRM/Case/Page/AJAX.php |  2 +-
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/CRM/Case/BAO/Case.php b/CRM/Case/BAO/Case.php
index 87cbcd7afe..51c18bab5c 100644
--- a/CRM/Case/BAO/Case.php
+++ b/CRM/Case/BAO/Case.php
@@ -2984,10 +2984,11 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')';
    * Verify user has permission to access a case
    *
    * @param int $caseId
+   * @param bool $denyClosed set TRUE if one wants closed cases to be treated as inaccessible
    *
    * @return bool
    */
-  static function accessCase($caseId) {
+  static function accessCase($caseId, $denyClosed = TRUE) {
     if (!$caseId || !self::enabled()) {
       return FALSE;
     }
@@ -3002,9 +3003,29 @@ WHERE id IN (' . implode(',', $copiedActivityIds) . ')';
       return FALSE;
     }
 
-    $filterCases = CRM_Case_BAO_Case::getCases(FALSE);
+    $session = CRM_Core_Session::singleton();
+    $userID = CRM_Utils_Type::validate($session->get('userID'), 'Positive');
+    $caseId = CRM_Utils_Type::validate($caseId, 'Positive');
+
+    $condition = " AND civicrm_case.is_deleted = 0 ";
+    $condition .= " AND case_relationship.contact_id_b = {$userID} ";
+    $condition .= " AND civicrm_case.id = {$caseId}";
+
+    if ($denyClosed) {
+      $closedId = CRM_Core_OptionGroup::getValue('case_status', 'Closed', 'name');
+      $condition .= " AND civicrm_case.status_id != $closedId";
+    }
+
+    // We don't actually care about activities in the case, but the underlying
+    // query is verbose, and this allows us to share the basic query with
+    // getCases(). $type=='any' means that activities will be left-joined.
+    $query = self::getCaseActivityQuery('any', $userID, $condition);
+    $queryParams = array();
+    $dao = CRM_Core_DAO::executeQuery($query,
+      $queryParams
+    );
 
-    return isset($filterCases[$caseId]);
+    return (bool) $dao->fetch();
   }
 
   /**
diff --git a/CRM/Case/Page/AJAX.php b/CRM/Case/Page/AJAX.php
index 49abbec493..ec552b8816 100644
--- a/CRM/Case/Page/AJAX.php
+++ b/CRM/Case/Page/AJAX.php
@@ -130,7 +130,7 @@ class CRM_Case_Page_AJAX {
   function caseDetails() {
     $caseId = CRM_Utils_Type::escape($_GET['caseId'], 'Positive');
 
-    if (!CRM_Case_BAO_Case::accessCase($caseId)) {
+    if (!CRM_Case_BAO_Case::accessCase($caseId, FALSE)) {
       CRM_Utils_System::permissionDenied();
     }
 
-- 
2.25.1