From 450fcddbdfd83b10b951de79035ef7ca67c15206 Mon Sep 17 00:00:00 2001 From: Jitendra Purohit Date: Wed, 19 Jul 2017 13:43:30 +0530 Subject: [PATCH 1/2] CRM-20910: Check permission param while retrieving participants from api --- CRM/Contact/BAO/Query.php | 3 ++- CRM/Event/BAO/Query.php | 6 +++++- tests/phpunit/api/v3/ParticipantTest.php | 24 ++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/CRM/Contact/BAO/Query.php b/CRM/Contact/BAO/Query.php index 2e4d34c07452..3b44723b2595 100644 --- a/CRM/Contact/BAO/Query.php +++ b/CRM/Contact/BAO/Query.php @@ -6121,7 +6121,8 @@ public static function buildQillForFieldValue( $pseudoOptions = CRM_Core_PseudoConstant::worldRegion(); } elseif ($daoName == 'CRM_Event_DAO_Event' && $fieldName == 'id') { - $pseudoOptions = CRM_Event_BAO_Event::getEvents(0, $fieldValue, TRUE, TRUE, TRUE); + $checkPermission = CRM_Utils_Array::value('check_permission', $pseudoExtraParam, TRUE); + $pseudoOptions = CRM_Event_BAO_Event::getEvents(0, $fieldValue, TRUE, $checkPermission, TRUE); } elseif ($fieldName == 'contribution_product_id') { $pseudoOptions = CRM_Contribute_PseudoConstant::products(); diff --git a/CRM/Event/BAO/Query.php b/CRM/Event/BAO/Query.php index 09c32b959dcf..4f24d5c713e3 100644 --- a/CRM/Event/BAO/Query.php +++ b/CRM/Event/BAO/Query.php @@ -253,6 +253,10 @@ public static function where(&$query) { * @param $query */ public static function whereClauseSingle(&$values, &$query) { + $checkPermission = TRUE; + if (!empty($query->_skipPermission)) { + $checkPermission = FALSE; + } list($name, $op, $value, $grouping, $wildcard) = $values; $fields = array_merge(CRM_Event_BAO_Event::fields(), CRM_Event_BAO_Participant::exportableFields()); @@ -461,7 +465,7 @@ public static function whereClauseSingle(&$values, &$query) { if (!array_key_exists($qillName, $fields)) { break; } - list($op, $value) = CRM_Contact_BAO_Query::buildQillForFieldValue('CRM_Event_DAO_Event', $name, $value, $op); + list($op, $value) = CRM_Contact_BAO_Query::buildQillForFieldValue('CRM_Event_DAO_Event', $name, $value, $op, array('check_permission' => $checkPermission)); $query->_qill[$grouping][] = ts('%1 %2 %3', array(1 => $fields[$qillName]['title'], 2 => $op, 3 => $value)); return; } diff --git a/tests/phpunit/api/v3/ParticipantTest.php b/tests/phpunit/api/v3/ParticipantTest.php index 68df64b301c3..41171b7083bf 100644 --- a/tests/phpunit/api/v3/ParticipantTest.php +++ b/tests/phpunit/api/v3/ParticipantTest.php @@ -206,6 +206,30 @@ public function testGetParticipantIdOnly() { } + /** + * Test permission for participant get. + */ + public function testGetParticipantWithPermission() { + $config = CRM_Core_Config::singleton(); + $config->userPermissionClass->permissions = array(); + $params = array( + 'event_id' => $this->_eventID, + 'check_permissions' => TRUE, + 'return' => array( + 'participant_id', + 'event_id', + 'participant_register_date', + 'participant_source', + ), + ); + $this->callAPIFailure('participant', 'get', $params); + + $params['check_permissions'] = FALSE; + $result = $this->callAPISuccess('participant', 'get', $params); + $this->assertEquals($result['is_error'], 0); + } + + /** * Check with params id. */ From f27fe817f18e0510822c26fa5840c84466bc122b Mon Sep 17 00:00:00 2001 From: Jitendra Purohit Date: Thu, 20 Jul 2017 16:55:33 +0530 Subject: [PATCH 2/2] minor fixes --- CRM/Event/BAO/Query.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/CRM/Event/BAO/Query.php b/CRM/Event/BAO/Query.php index 4f24d5c713e3..c542cff51d34 100644 --- a/CRM/Event/BAO/Query.php +++ b/CRM/Event/BAO/Query.php @@ -253,10 +253,7 @@ public static function where(&$query) { * @param $query */ public static function whereClauseSingle(&$values, &$query) { - $checkPermission = TRUE; - if (!empty($query->_skipPermission)) { - $checkPermission = FALSE; - } + $checkPermission = empty($query->_skipPermission); list($name, $op, $value, $grouping, $wildcard) = $values; $fields = array_merge(CRM_Event_BAO_Event::fields(), CRM_Event_BAO_Participant::exportableFields());