From f836c635b8550f84d49e63ed59c082c817ebafbb Mon Sep 17 00:00:00 2001
From: Jon goldberg <jon@palantetech.coop>
Date: Thu, 8 Oct 2015 21:21:58 -0400
Subject: [PATCH] CRM-17350 - Allowing editing of tags when you don't have
 'edit all contacts' permission

Conflicts:
	CRM/Core/DAO/permissions.php
---
 CRM/Core/BAO/EntityTag.php   | 14 +++++++++++++-
 CRM/Core/DAO/permissions.php | 11 +++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/CRM/Core/BAO/EntityTag.php b/CRM/Core/BAO/EntityTag.php
index 0324c401b7..5ceed31b9e 100644
--- a/CRM/Core/BAO/EntityTag.php
+++ b/CRM/Core/BAO/EntityTag.php
@@ -121,7 +121,7 @@ class CRM_Core_BAO_EntityTag extends CRM_Core_DAO_EntityTag {
   }
 
   /**
-   * Given an array of entity ids and entity table, add all the entity to the tags
+   * Given an array of entity ids and entity table, add all the entity to the tags.
    *
    * @param array $entityIds
    *   (reference ) the array of entity ids to be added.
@@ -139,6 +139,12 @@ class CRM_Core_BAO_EntityTag extends CRM_Core_DAO_EntityTag {
     $entityIdsAdded = array();
 
     foreach ($entityIds as $entityId) {
+      // CRM-17350 - check if we have permission to edit the contact
+      // that this tag belongs to.
+      if (!CRM_Contact_BAO_Contact_Permission::allow($entityId, CRM_Core_Permission::EDIT)) {
+        $numEntitiesNotAdded++;
+        continue;
+      }
       $tag = new CRM_Core_DAO_EntityTag();
 
       $tag->entity_id = $entityId;
@@ -184,6 +190,12 @@ class CRM_Core_BAO_EntityTag extends CRM_Core_DAO_EntityTag {
     $entityIdsRemoved = array();
 
     foreach ($entityIds as $entityId) {
+      // CRM-17350 - check if we have permission to edit the contact
+      // that this tag belongs to.
+      if (!CRM_Contact_BAO_Contact_Permission::allow($entityId, CRM_Core_Permission::EDIT)) {
+        $numEntitiesNotAdded++;
+        continue;
+      }
       $tag = new CRM_Core_DAO_EntityTag();
 
       $tag->entity_id = $entityId;
diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php
index f63519d4ab..f525fe139b 100644
--- a/CRM/Core/DAO/permissions.php
+++ b/CRM/Core/DAO/permissions.php
@@ -124,6 +124,17 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
   // @todo - ditto
   $permissions['note'] = $permissions['entity_tag'];
 
+  // CRM-17350 - entity_tag ACL permissions are checked at the BAO level
+  $permissions['entity_tag'] = array(
+    'get' => array(
+      'access CiviCRM',
+      'view all contacts',
+    ),
+    'default' => array(
+      'access CiviCRM',
+    ),
+  );
+
   // Allow non-admins to get and create tags to support tagset widget
   // Delete is still reserved for admins
   $permissions['tag'] = array(
-- 
2.25.1