Merge pull request #245 from christianwach/lab-wp-96

Fix access permissions for sub-pages and "Quick Add" dashlet
civicrm · Mar 17, 2021 · e40392c · e40392c
2 parents b9ca377 + 1a01535
commit e40392c
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 6 deletions.
diff --git a/includes/admin-metaboxes/civicrm.metabox.contact.add.php b/includes/admin-metaboxes/civicrm.metabox.contact.add.php
@@ -69,6 +69,11 @@ public function __construct() {
    */
   public function register_hooks() {
 
+    // Bail if the current WordPress User cannot add Contacts.
+    if (!$this->civi->users->check_civicrm_permission('add_contacts')) {
+      return;
+    }
+
     // Add our meta boxes.
     add_action('wp_dashboard_setup', [$this, 'meta_box_add']);
 

diff --git a/includes/admin-pages/civicrm.page.integration.php b/includes/admin-pages/civicrm.page.integration.php
@@ -88,6 +88,25 @@ public function register_hooks() {
 
   }
 
+  /**
+   * Get the capability required to access the Settings Page.
+   *
+   * @since 5.35
+   */
+  public function access_capability() {
+
+    /**
+     * Return default capability but allow overrides.
+     *
+     * @since 5.35
+     *
+     * @param str The default access capability.
+     * @return str The modified access capability.
+     */
+    return apply_filters('civicrm/admin/integration/cap', 'manage_options');
+
+  }
+
   /**
    * Adds CiviCRM sub-menu items to WordPress admin menu.
    *
@@ -100,12 +119,15 @@ public function add_menu_items() {
       return;
     }
 
+    // Get access capability.
+    $capability = $this->access_capability();
+
     // Add Integration submenu item.
     $integration_page = add_submenu_page(
       'CiviCRM',
       __('Integrating CiviCRM with WordPress', 'civicrm'),
       __('Integration', 'civicrm'),
-      'access_civicrm',
+      $capability,
       'civi_integration',
       [$this, 'page_integration']
     );
@@ -208,8 +230,9 @@ public function meta_boxes_integration_add($screen_id) {
       return;
     }
 
-    // Bail if user cannot access CiviCRM.
-    if (!current_user_can('access_civicrm')) {
+    // Bail if user cannot access the Integration Page.
+    $capability = $this->access_capability();
+    if (!current_user_can($capability)) {
       return;
     }
 

diff --git a/includes/admin-pages/civicrm.page.options.php b/includes/admin-pages/civicrm.page.options.php
@@ -90,19 +90,41 @@ public function register_hooks() {
 
   }
 
+  /**
+   * Get the capability required to access the Settings Page.
+   *
+   * @since 5.35
+   */
+  public function access_capability() {
+
+    /**
+     * Return default capability but allow overrides.
+     *
+     * @since 5.35
+     *
+     * @param str The default access capability.
+     * @return str The modified access capability.
+     */
+    return apply_filters('civicrm/admin/settings/cap', 'manage_options');
+
+  }
+
   /**
    * Adds CiviCRM sub-menu items to WordPress admin menu.
    *
    * @since 5.34
    */
   public function add_menu_items() {
 
+    // Get access capability.
+    $capability = $this->access_capability();
+
     // Add Settings submenu item.
     $options_page = add_submenu_page(
       'CiviCRM',
       __('CiviCRM Settings for WordPress', 'civicrm'),
       __('Settings', 'civicrm'),
-      'access_civicrm',
+      $capability,
       $this->slug,
       [$this, 'page_options']
     );
@@ -260,8 +282,9 @@ public function meta_boxes_options_add($screen_id) {
       return;
     }
 
-    // Bail if user cannot access CiviCRM.
-    if (!current_user_can('access_civicrm')) {
+    // Bail if user cannot access the Settings Page.
+    $capability = $this->access_capability();
+    if (!current_user_can($capability)) {
       return;
     }
 

diff --git a/includes/civicrm.users.php b/includes/civicrm.users.php
@@ -124,6 +124,33 @@ public function check_permission($args) {
 
   }
 
+  /**
+   * Check a CiviCRM permission.
+   *
+   * @since 5.35
+   *
+   * @param str $permission The permission string.
+   * @return bool $permitted True if allowed, false otherwise.
+   */
+  public function check_civicrm_permission($permission) {
+
+    // Always deny if CiviCRM is not initialised.
+    if (!$this->civi->initialize()) {
+      return FALSE;
+    }
+
+    // Deny by default.
+    $permitted = FALSE;
+
+    // Check CiviCRM permissions.
+    if (CRM_Core_Permission::check($permission)) {
+      $permitted = TRUE;
+    }
+
+    return $permitted;
+
+  }
+
   /**
    * Get "permission denied" text.
    *