Fix CRM_ACL_API::whereClause to respect $contactId param

[colemanw]

Overview

Fixes an edge-case bug in contact permission checks and adds more robust support to the CMS-based permission checking.

Before

The CRM_ACL_API::whereClause() function did not correctly handle the $contactID parameter. It would always check user permissions based on the current user, ignoring that param.

After

It correctly checks permissions against the specified user.

Technical Details

This fix required a patch to all 6 CMS integration points (D6, D7, D8, BD, J!, WP). They all handle checking permissions slightly differently and none of it is covered by unit tests (nor do I think it could be with our current test infrastructure). So this will require a fair amount of manual testing.

Notes

I discovered this bug while working on this issue: Load case to webform with contactID, checksum and caseID in the URL

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[monishdeb]

This PR introduces a nice enhancement where you can check given permission of a $contactID which can be passed to CRM_Core_Permission::check(<permission string>, $contactID), unlike earlier which checks only for logged-in user. In order to test it in all CMSs I have executed a small script

civicrm_initialize();
$contactID = N;
$permission = 'edit all contacts';
if (CRM_Core_Permission::check($perm, $contactID)) {
  echo "Contact ID - $contactID has $permission permission"
}

after applying this patch. And it is working as expected. Doesn't cause any unintended regression.

Hence merging this PR.

[colemanw]

Thanks @monishdeb!