Merge pull request #9246 from eileenmcnaughton/bjorn

CRM-19494 Refactoring of permission code
civicrm · Oct 24, 2016 · 6a47b6a · 6a47b6a
2 parents c910b20 + 9aea8e1
commit 6a47b6a
Show file tree

Hide file tree

Showing 5 changed files with 583 additions and 193 deletions.
diff --git a/CRM/ACL/API.php b/CRM/ACL/API.php
@@ -84,6 +84,10 @@ public static function check($str, $contactID = NULL) {
    * @param bool $skipDeleteClause
    *   Don't add delete clause if this is true,.
    *   this means it is handled by generating query
+   * @param bool $skipOwnContactClause
+   *   Do not add 'OR contact_id = $userID' to the where clause.
+   *   This is a hideously inefficient query and should be avoided
+   *   wherever possible.
    *
    * @return string
    *   the group where clause for this user
@@ -94,7 +98,8 @@ public static function whereClause(
     &$whereTables,
     $contactID = NULL,
     $onlyDeleted = FALSE,
-    $skipDeleteClause = FALSE
+    $skipDeleteClause = FALSE,
+    $skipOwnContactClause = FALSE
   ) {
     // the default value which is valid for the final AND
     $deleteClause = ' ( 1 ) ';
@@ -131,9 +136,9 @@ public static function whereClause(
       )
     );
 
-    // Add permission on self
-    if ($contactID && (CRM_Core_Permission::check('edit my contact') ||
-      $type == self::VIEW && CRM_Core_Permission::check('view my contact'))
+    // Add permission on self if we really hate our server or have hardly any contacts.
+    if (!$skipOwnContactClause && $contactID && (CRM_Core_Permission::check('edit my contact') ||
+        $type == self::VIEW && CRM_Core_Permission::check('view my contact'))
     ) {
       $where = "(contact_a.id = $contactID OR ($where))";
     }