From fa6448fac9184cd70a899dbf7f3946023c7042c4 Mon Sep 17 00:00:00 2001 From: Eileen McNaughton Date: Tue, 11 Oct 2016 13:41:04 +0100 Subject: [PATCH] CRM-15980 Test for API does not permit PHP to permanently delete a contact (#9210) * CRM-15980 Test for API does not permit PHP to permanently delete a contact * CRM-15980 fix API does not permit PHP to permanently delete a contact Change-Id: I4bc50fedf31de60312f3ab1ad0f216fb85962bca --- CRM/Contact/BAO/Contact.php | 6 +++--- api/v3/Contact.php | 3 ++- tests/phpunit/api/v3/ContactTest.php | 18 ++++++++++++++++++ 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php index a38a8272ef..b90ccd47d3 100644 --- a/CRM/Contact/BAO/Contact.php +++ b/CRM/Contact/BAO/Contact.php @@ -789,7 +789,7 @@ WHERE civicrm_contact.id = " . CRM_Utils_Type::escape($id, 'Integer'); * @return bool * Was contact deleted? */ - public static function deleteContact($id, $restore = FALSE, $skipUndelete = FALSE) { + public static function deleteContact($id, $restore = FALSE, $skipUndelete = FALSE, $checkPermissions = TRUE) { if (!$id) { return FALSE; @@ -801,8 +801,8 @@ WHERE civicrm_contact.id = " . CRM_Utils_Type::escape($id, 'Integer'); // make sure we have edit permission for this contact // before we delete - if (($skipUndelete && !CRM_Core_Permission::check('delete contacts')) || - ($restore && !CRM_Core_Permission::check('access deleted contacts')) + if ($checkPermissions && (($skipUndelete && !CRM_Core_Permission::check('delete contacts')) || + ($restore && !CRM_Core_Permission::check('access deleted contacts'))) ) { return FALSE; } diff --git a/api/v3/Contact.php b/api/v3/Contact.php index fdab683d68..0a2f686d70 100644 --- a/api/v3/Contact.php +++ b/api/v3/Contact.php @@ -408,7 +408,8 @@ function civicrm_api3_contact_delete($params) { if ($skipUndelete && CRM_Financial_BAO_FinancialItem::checkContactPresent(array($contactID), $error)) { return civicrm_api3_create_error($error['_qf_default']); } - if (CRM_Contact_BAO_Contact::deleteContact($contactID, $restore, $skipUndelete)) { + if (CRM_Contact_BAO_Contact::deleteContact($contactID, $restore, $skipUndelete, + CRM_Utils_Array::value('check_permissions', $params))) { return civicrm_api3_create_success(); } else { diff --git a/tests/phpunit/api/v3/ContactTest.php b/tests/phpunit/api/v3/ContactTest.php index 2d3493c5e8..480cc9355a 100644 --- a/tests/phpunit/api/v3/ContactTest.php +++ b/tests/phpunit/api/v3/ContactTest.php @@ -2288,6 +2288,24 @@ class api_v3_ContactTest extends CiviUnitTestCase { $this->callAPISuccess('contact', 'create', $params); } + /** + * Test that delete with skip undelete respects permissions. + */ + public function testContactDeletePermissions() { + $contactID = $this->individualCreate(); + CRM_Core_Config::singleton()->userPermissionClass->permissions = array('access CiviCRM'); + $this->callAPIFailure('Contact', 'delete', array( + 'id' => $contactID, + 'check_permissions' => 1, + 'skip_undelete' => 1, + )); + $this->callAPISuccess('Contact', 'delete', array( + 'id' => $contactID, + 'check_permissions' => 0, + 'skip_undelete' => 1, + )); + } + /** * Test update with check permissions set. */ -- 2.25.1