From f0384ec0c2ce2a9eaa17325f0beebdbef4fbf49e Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Wed, 21 Dec 2016 15:42:50 -0500
Subject: [PATCH] CRM-19773 - Check permisions for all entities in reports

---
 CRM/Report/Form.php                           | 29 +++++++++++++++++--
 CRM/Report/Form/Contribute/Lybunt.php         |  1 +
 CRM/Report/Form/Member/ContributionDetail.php |  1 +
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/CRM/Report/Form.php b/CRM/Report/Form.php
index de0ad122ad..41de1b161d 100644
--- a/CRM/Report/Form.php
+++ b/CRM/Report/Form.php
@@ -329,7 +329,7 @@ class CRM_Report_Form extends CRM_Core_Form {
    *
    * @var array
    */
-  protected $_selectedTables;
+  protected $_selectedTables = array();
 
   /**
    * Array of DAO tables having columns included in WHERE or HAVING clause
@@ -2658,6 +2658,7 @@ WHERE cg.extends IN ('" . implode("','", $this->_customGroupExtends) . "') AND
     $this->select();
     $this->from();
     $this->customDataFrom();
+    $this->buildPermissionClause();
     $this->where();
     if (array_key_exists('civicrm_contribution', $this->getVar('_columns'))) {
       $this->getPermissionedFTQuery($this);
@@ -3603,7 +3604,8 @@ WHERE cg.extends IN ('" . implode("','", $this->_customGroupExtends) . "') AND
   }
 
   /**
-   * Build acl clauses.
+   * Buld contact acl clause
+   * @deprecated in favor of buildPermissionClause
    *
    * @param string $tableAlias
    */
@@ -3611,6 +3613,29 @@ WHERE cg.extends IN ('" . implode("','", $this->_customGroupExtends) . "') AND
     list($this->_aclFrom, $this->_aclWhere) = CRM_Contact_BAO_Contact_Permission::cacheClause($tableAlias);
   }
 
+  /**
+   * Build the permision clause for all entities in this report
+   */
+  public function buildPermissionClause() {
+    $ret = array();
+    foreach ($this->selectedTables() as $tableName) {
+      $baoName = str_replace('_DAO_', '_BAO_', CRM_Core_DAO_AllCoreTables::getClassForTable($tableName));
+      if ($baoName && class_exists($baoName) && !empty($this->_columns[$tableName]['alias'])) {
+        $tableAlias = $this->_columns[$tableName]['alias'];
+        $clauses = array_filter($baoName::getSelectWhereClause($tableAlias));
+        foreach ($clauses as $field => $clause) {
+          // Skip contact_id field if redundant
+          if ($field != 'contact_id' || !in_array('civicrm_contact', $this->selectedTables())) {
+            $ret["$tableName.$field"] = $clause;
+          }
+        }
+      }
+    }
+    // Override output from buildACLClause
+    $this->_aclFrom = NULL;
+    $this->_aclWhere = implode(' AND ', $ret);
+  }
+
   /**
    * Add custom data to the columns.
    *
diff --git a/CRM/Report/Form/Contribute/Lybunt.php b/CRM/Report/Form/Contribute/Lybunt.php
index ce1a06c7c0..2823c2ad49 100644
--- a/CRM/Report/Form/Contribute/Lybunt.php
+++ b/CRM/Report/Form/Contribute/Lybunt.php
@@ -581,6 +581,7 @@ class CRM_Report_Form_Contribute_Lybunt extends CRM_Report_Form {
    */
   public function buildQuery($applyLimit = TRUE) {
     $this->buildGroupTempTable();
+    $this->buildPermissionClause();
     // Calling where & select before FROM allows us to build temp tables to use in from.
     $this->where();
     $this->select();
diff --git a/CRM/Report/Form/Member/ContributionDetail.php b/CRM/Report/Form/Member/ContributionDetail.php
index 66d1278a88..26de58f384 100644
--- a/CRM/Report/Form/Member/ContributionDetail.php
+++ b/CRM/Report/Form/Member/ContributionDetail.php
@@ -580,6 +580,7 @@ class CRM_Report_Form_Member_ContributionDetail extends CRM_Report_Form {
     $this->tempTable();
     $this->from();
     $this->customDataFrom();
+    $this->buildPermissionClause();
     $this->where();
     $this->groupBy();
     $this->orderBy();
-- 
2.25.1