Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dev/core#1879 Fix inconsistent ability to view event information #18712

Merged
merged 1 commit into from
Oct 29, 2020
Merged

dev/core#1879 Fix inconsistent ability to view event information #18712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CRM/ACL/BAO/ACL.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -518,6 +518,8 @@ public static function group(
if (empty($ids) && !empty($includedGroups) &&
is_array($includedGroups)
) {
// This is pretty alarming - we 'sometimes' include all included groups
// seems problematic per https://lab.civicrm.org/dev/core/-/issues/1879
$ids = $includedGroups;
}
if ($contactID) {
Expand Down
18 changes: 9 additions & 9 deletions CRM/Event/BAO/Event.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -730,7 +730,7 @@ public static function &getMapInfo(&$id) {
* @return array
* array of all the events that are searched
*/
public static function &getCompleteInfo(
public static function getCompleteInfo(
$start = NULL,
$type = NULL,
$eventId = NULL,
Expand Down Expand Up @@ -839,15 +839,15 @@ public static function &getCompleteInfo(

// check 'view event info' permission
//@todo - per CRM-14626 we have resolved that 'view event info' means 'view ALL event info'
// and passing in the specific permission here will short-circuit the evaluation of permission to
// see specific events (doesn't seem relevant to this call
// however, since this function is accessed only by a convoluted call from a joomla block function
// it seems safer not to touch here. Suggestion is that CRM_Core_Permission::check(array or relevant permissions) would
// be clearer & safer here
$permissions = CRM_Core_Permission::event(CRM_Core_Permission::VIEW);
if (CRM_Core_Permission::check('view event info')) {
$permissions = TRUE;
}
else {
$permissions = CRM_Core_Permission::event(CRM_Core_Permission::VIEW);
}

while ($dao->fetch()) {
if (!empty($permissions) && in_array($dao->event_id, $permissions)) {
if (!empty($permissions) && ($permissions === TRUE || in_array($dao->event_id, $permissions))) {
$info = [];
$info['uid'] = "CiviCRM_EventID_{$dao->event_id}_" . md5($config->userFrameworkBaseURL) . $url;

Expand Down Expand Up @@ -1075,7 +1075,7 @@ public static function sendMail($contactID, $values, $participantId, $isTest = F
$email = CRM_Core_DAO::getFieldValue('CRM_Core_DAO_UFGroup', $gId, 'notify');
if ($email) {
//get values of corresponding profile fields for notification
list($profileValues) = self::buildCustomDisplay($gId,
[$profileValues] = self::buildCustomDisplay($gId,
NULL,
$contactID,
$template,
Expand Down
18 changes: 14 additions & 4 deletions tests/phpunit/CRM/Event/BAO/EventPermissionsTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ private function setDeleteAllEventPermissions() {
}

public function testViewOwnEvent() {
self::setViewOwnEventPermissions();
$this->setViewOwnEventPermissions();
unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
$permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::VIEW);
$this->assertTrue($permissions);
Expand All @@ -67,7 +67,7 @@ public function testViewOwnEvent() {
}

public function testEditOwnEvent() {
self::setViewOwnEventPermissions();
$this->setViewOwnEventPermissions();
unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
$this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
$permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::EDIT);
Expand All @@ -79,7 +79,7 @@ public function testEditOwnEvent() {
*/
public function testDeleteOwnEvent() {
// Check that you can't delete your own event without "Delete in CiviEvent" permission
self::setViewOwnEventPermissions();
$this->setViewOwnEventPermissions();
unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
$permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::DELETE);
$this->assertFalse($permissions);
Expand Down Expand Up @@ -135,10 +135,20 @@ public function testDeleteOtherEventAllowed() {

public function testDeleteOtherEventDenied() {
// FIXME: This test could be improved, but for now it checks that we can't delete if we don't have "Delete in CiviEvent"
self::setEditAllEventPermissions();
$this->setEditAllEventPermissions();
unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
$permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::DELETE);
$this->assertFalse($permissions);
}

/**
* Test get complete info function returns all info for contacts with view all info.
*/
public function testGetCompleteInfo() {
$this->setupScenarioCoreACLEveryonePermittedToEvent();
$info = CRM_Event_BAO_Event::getCompleteInfo('20000101');
$this->assertEquals('Annual CiviCRM meet', $info[0]['title']);
$this->assertEquals('Annual CiviCRM meet', $info[1]['title']);
}

}