Move acl check for contributionView to the extension

civicrm · Feb 2, 2022 · 3dd4f7a · 3dd4f7a
1 parent aa9d3ae
commit 3dd4f7a
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 26 deletions.
diff --git a/CRM/Contribute/BAO/Contribution.php b/CRM/Contribute/BAO/Contribution.php
@@ -316,7 +316,7 @@ public static function getValues($params, &$values = [], &$ids = []) {
   }
 
   /**
-   * Get the values and resolve the most common mappings.
+   * Deprecated contact.get call.
    *
    * Since contribution status is resolved in almost every function that calls getValues it makes
    * sense to have an extra function to resolve it rather than repeat the code.
@@ -330,6 +330,8 @@ public static function getValues($params, &$values = [], &$ids = []) {
    * @return array
    *   Array of the found contribution.
    * @throws CRM_Core_Exception
+   *
+   * @deprecated
    */
   public static function getValuesWithMappings($params) {
     $values = $ids = [];

diff --git a/CRM/Contribute/Form/ContributionView.php b/CRM/Contribute/Form/ContributionView.php
@@ -9,6 +9,8 @@
  +--------------------------------------------------------------------+
  */
 
+use Civi\Api4\Contribution;
+
 /**
  *
  * @package CRM
@@ -28,12 +30,22 @@ public function preProcess() {
     if (empty($id)) {
       throw new CRM_Core_Exception('Contribution ID is required');
     }
-    $params = ['id' => $id];
+
     $context = CRM_Utils_Request::retrieve('context', 'Alphanumeric', $this);
     $this->assign('context', $context);
 
-    $values = CRM_Contribute_BAO_Contribution::getValuesWithMappings($params);
+    // Note than this get could be restricted by ACLs in an extension
+    $contribution = Contribution::get(TRUE)->addWhere('id', '=', $id)->addSelect('financial_type_id')->execute()->first();
+    if (empty($contribution)) {
+      CRM_Core_Error::statusBounce(ts('Access to contribution not permitted'));
+    }
+    // We just cast here because it was traditionally an array called values - would be better
+    // just to use 'contribution'.
+    $values = (array) $contribution;
+    $contributionStatus = CRM_Core_PseudoConstant::getName('CRM_Contribute_BAO_Contribution', 'contribution_status_id', $values['contribution_status_id']);
 
+    // @todo - it might have been better to create a new form that extends this
+    // for template contributions rather than overloading this form.
     $force_create_template = CRM_Utils_Request::retrieve('force_create_template', 'Boolean', $this, FALSE, FALSE);
     if ($force_create_template && !empty($values['contribution_recur_id']) && empty($values['is_template'])) {
       // Create a template contribution.
@@ -46,20 +58,8 @@ public function preProcess() {
     }
     $this->assign('is_template', $values['is_template']);
 
-    if (CRM_Financial_BAO_FinancialType::isACLFinancialTypeStatus() && $this->_action & CRM_Core_Action::VIEW) {
-      $financialTypeID = CRM_Contribute_PseudoConstant::financialType($values['financial_type_id']);
-      CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($id, 'view');
-      if (CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($id, 'edit', FALSE)) {
-        $this->assign('canEdit', TRUE);
-      }
-      if (CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($id, 'delete', FALSE)) {
-        $this->assign('canDelete', TRUE);
-      }
-      if (!CRM_Core_Permission::check('view contributions of type ' . $financialTypeID)) {
-        CRM_Core_Error::statusBounce(ts('You do not have permission to access this page.'));
-      }
-    }
-    elseif ($this->_action & CRM_Core_Action::VIEW) {
+    if ($this->_action & CRM_Core_Action::VIEW) {
+      // @todo remove this & also from templates, belongs in the extension.
       $this->assign('noACL', TRUE);
     }
     CRM_Contribute_BAO_Contribution::resolveDefaults($values);
@@ -150,7 +150,7 @@ public function preProcess() {
       $campaigns = CRM_Campaign_BAO_Campaign::getCampaigns($campaignId);
       $values['campaign'] = $campaigns[$campaignId];
     }
-    if ($values['contribution_status'] == 'Refunded') {
+    if ($contributionStatus === 'Refunded') {
       $this->assign('refund_trxn_id', CRM_Core_BAO_FinancialTrxn::getRefundTransactionTrxnID($id));
     }
 
@@ -159,9 +159,7 @@ public function preProcess() {
     $invoicing = CRM_Invoicing_Utils::isInvoicingEnabled();
     $this->assign('invoicing', $invoicing);
     $this->assign('isDeferred', Civi::settings()->get('deferred_revenue_enabled'));
-    if ($invoicing && isset($values['tax_amount'])) {
-      $this->assign('totalTaxAmount', $values['tax_amount']);
-    }
+    $this->assign('totalTaxAmount', $values['tax_amount'] ?? NULL);
 
     // omitting contactImage from title for now since the summary overlay css doesn't work outside of our crm-container
     $displayName = CRM_Contact_BAO_Contact::displayName($values['contact_id']);
@@ -204,8 +202,7 @@ public function preProcess() {
       NULL,
       $recentOther
     );
-    $statusOptionValueNames = CRM_Contribute_PseudoConstant::contributionStatus(NULL, 'name');
-    $contributionStatus = $statusOptionValueNames[$values['contribution_status_id']];
+
     if (in_array($contributionStatus, ['Partially paid', 'Pending refund'])
         || ($contributionStatus == 'Pending' && $values['is_pay_later'])
         ) {

diff --git a/ext/financialacls/financialacls.php b/ext/financialacls/financialacls.php
@@ -2,6 +2,7 @@
 
 require_once 'financialacls.civix.php';
 // phpcs:disable
+use Civi\Api4\Contribution;
 use Civi\Api4\EntityFinancialAccount;
 use CRM_Financialacls_ExtensionUtil as E;
 // phpcs:enable
@@ -394,9 +395,22 @@ function financialacls_toggle() {
  *
  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_preProcess
  */
-//function financialacls_civicrm_preProcess($formName, &$form) {
-//
-//}
+function financialacls_civicrm_preProcess($formName, &$form) {
+  if (!financialacls_is_acl_limiting_enabled()) {
+    return;
+  }
+  if ($formName === 'CRM_Contribute_Form_ContributionView'
+    && $form->_action & CRM_Core_Action::VIEW) {
+    $id = $form->get('id');
+    if (CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($id, 'edit', FALSE)) {
+      $form->assign('canEdit', TRUE);
+    }
+    if (CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($id, 'delete', FALSE)) {
+      $form->assign('canDelete', TRUE);
+    }
+  }
+
+}
 
 /**
  * Implements hook_civicrm_navigationMenu().