Merge pull request #10522 from colemanw/CRM-20743

CRM-20743 - Check tag permissions in UI and BAO

CRM/Core/BAO/Tag.php

@@ -413,6 +413,20 @@ public static function add(&$params, $ids = array()) {
       return NULL;
     }
 
+    // Check permission to create or modify reserved tag
+    if (!empty($params['check_permissions']) && !CRM_Core_Permission::check('administer reserved tags')) {
+      if (!empty($params['is_reserved']) || ($id && CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Tag', $id, 'is_reserved'))) {
+        throw new CRM_Core_Exception('Insufficient permission to administer reserved tag.');
+      }
+    }
+
+    // Check permission to create or modify tagset
+    if (!empty($params['check_permissions']) && !CRM_Core_Permission::check('administer Tagsets')) {
+      if (!empty($params['is_tagset']) || ($id && CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Tag', $id, 'is_tagset'))) {
+        throw new CRM_Core_Exception('Insufficient permission to administer tagset.');
+      }
+    }
+
     $tag = new CRM_Core_DAO_Tag();
 
     // if parent id is set then inherit used for and is hidden properties

CRM/Core/Permission.php

@@ -127,7 +127,7 @@ public static function check($permissions) {
         foreach ($permission as $orPerm) {
           if (self::check($orPerm)) {
             //one of our 'or' permissions has succeeded - stop checking this permission
-            return TRUE;;
+            return TRUE;
           }
         }
         //none of our our conditions was met

CRM/Tag/Form/Edit.php

@@ -54,38 +54,47 @@ public function preProcess() {
    * Build the form object.
    */
   public function buildQuickForm() {
+    $bounceUrl = CRM_Utils_System::url('civicrm/tag');
     if ($this->_action == CRM_Core_Action::DELETE) {
-      $url = CRM_Utils_System::url('civicrm/tag');
       if (!$this->_id) {
         $this->_id = explode(',', CRM_Utils_Request::retrieve('id', 'String'));
       }
       $this->_id = (array) $this->_id;
       if (!$this->_id) {
-        CRM_Core_Error::statusBounce(ts("Unknown tag."), $url);
+        CRM_Core_Error::statusBounce(ts("Unknown tag."), $bounceUrl);
       }
       foreach ($this->_id as $id) {
         if (!CRM_Utils_Rule::positiveInteger($id)) {
-          CRM_Core_Error::statusBounce(ts("Unknown tag."), $url);
+          CRM_Core_Error::statusBounce(ts("Unknown tag."), $bounceUrl);
         }
         if ($tag = CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Tag', $id, 'name', 'parent_id')) {
-          CRM_Core_Error::statusBounce(ts("This tag cannot be deleted. You must delete all its child tags ('%1', etc) prior to deleting this tag.", array(1 => $tag)), $url);
+          CRM_Core_Error::statusBounce(ts("This tag cannot be deleted. You must delete all its child tags ('%1', etc) prior to deleting this tag.", array(1 => $tag)), $bounceUrl);
         }
         if (!CRM_Core_Permission::check('administer reserved tags') && CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Tag', $id, 'is_reserved')) {
-          CRM_Core_Error::statusBounce(ts("You do not have sufficient permission to delete this reserved tag."), $url);
+          CRM_Core_Error::statusBounce(ts("You do not have sufficient permission to delete this reserved tag."), $bounceUrl);
         }
       }
       if (count($this->_id) > 1) {
         $this->assign('delName', ts('%1 tags', array(1 => count($this->_id))));
       }
     }
     else {
+      $adminTagset = CRM_Core_Permission::check('administer Tagsets');
+      $adminReservedTags = CRM_Core_Permission::check('administer reserved tags');
+
       $this->_isTagSet = CRM_Utils_Request::retrieve('tagset', 'Positive', $this);
 
       if (!$this->_isTagSet && $this->_id &&
         CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Tag', $this->_id, 'is_tagset')
       ) {
         $this->_isTagSet = TRUE;
       }
+      if ($this->_isTagSet && !$adminTagset) {
+        CRM_Core_Error::statusBounce(ts("You do not have sufficient permission to edit this tagset."), $bounceUrl);
+      }
+      if ($this->_id && !$adminReservedTags && CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Tag', $this->_id, 'is_reserved')) {
+        CRM_Core_Error::statusBounce(ts("You do not have sufficient permission to edit this reserved tag."), $bounceUrl);
+      }
 
       if ($this->_id) {
         $parentId = CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Tag', $this->_id, 'parent_id');
@@ -133,16 +142,10 @@ public function buildQuickForm() {
         $this->addSelect('used_for', array('multiple' => TRUE, 'option_url' => NULL));
       }
 
-      $adminTagset = TRUE;
-      if (!CRM_Core_Permission::check('administer Tagsets')) {
-        $adminTagset = FALSE;
-      }
       $this->assign('adminTagset', $adminTagset);
 
-      $adminReservedTags = TRUE;
-      if (!CRM_Core_Permission::check('administer reserved tags')) {
+      if (!$adminReservedTags) {
         $isReserved->freeze();
-        $adminReservedTags = FALSE;
       }
       $this->assign('adminReservedTags', $adminReservedTags);
     }
@@ -162,6 +165,9 @@ public function setDefaultValues() {
       $params = array('id' => $cloneFrom);
       CRM_Core_BAO_Tag::retrieve($params, $this->_values);
       $this->_values['name'] .= ' (' . ts('copy') . ')';
+      if (!empty($this->_values['is_reserved']) && !CRM_Core_Permission::check('administer reserved tags')) {
+        $this->_values['is_reserved'] = 0;
+      }
       $defaults = $this->_values;
     }
     if (empty($defaults['color'])) {

templates/CRM/Tag/Page/Tag.tpl

@@ -389,6 +389,9 @@
   div.tag-info input[type=color] {
     cursor: pointer;
   }
+  div.tag-info input[disabled] {
+    cursor: default;
+  }
   div.tag-info .tdl {
     font-weight: bold;
     color: #999;
@@ -432,15 +435,15 @@
 <script type="text/template" id="oneSelectedTpl">
   <div class="crm-entity" data-entity="Tag" data-id="<%= id %>">
     <h4>
-      <input type="color" value="<%= data.color %>" title="{ts}Select color{/ts}"/>
-      <span class="crm-editable" data-field="name"><%- text %></span>
+      <input type="color" value="<%= data.color %>" <% if (!data.is_reserved || adminReserved) {ldelim} %>title="{ts}Select color{/ts}" <% {rdelim} else {ldelim} %>disabled<% {rdelim} %> />
+      <span class="<% if (!data.is_reserved || adminReserved) {ldelim} %>crm-editable<% {rdelim} %>" data-field="name"><%- text %></span>
     </h4>
     <hr />
     <div><span class="tdl">{ts}Description:{/ts}</span>
-      <span class="crm-editable" data-field="description"><%- data.description %></span>
+      <span class="<% if (!data.is_reserved || adminReserved) {ldelim} %>crm-editable<% {rdelim} %>" data-field="description"><%- data.description %></span>
     </div>
     <div><span class="tdl">{ts}Selectable:{/ts}</span>
-      <span class="crm-editable" data-field="is_selectable" data-type="select"><% if (data.is_selectable) {ldelim} %> {ts}Yes{/ts} <% {rdelim} else {ldelim} %> {ts}No{/ts} <% {rdelim} %></span>
+      <span class="<% if (!data.is_reserved || adminReserved) {ldelim} %>crm-editable<% {rdelim} %>" data-field="is_selectable" data-type="select"><% if (data.is_selectable) {ldelim} %> {ts}Yes{/ts} <% {rdelim} else {ldelim} %> {ts}No{/ts} <% {rdelim} %></span>
     </div>
     <div><span class="tdl">{ts}Reserved:{/ts}</span>
       <span class="<% if (adminReserved) {ldelim} %>crm-editable<% {rdelim} %>" data-field="is_reserved" data-type="select"><% if (data.is_reserved) {ldelim} %> {ts}Yes{/ts} <% {rdelim} else {ldelim} %> {ts}No{/ts} <% {rdelim} %></span>
@@ -449,7 +452,7 @@
       <div>
         <span class="tdl">{ts}Used For:{/ts}</span>
         {literal}
-          <span class="crm-editable-enabled used-for-toggle">
+          <span class="<% if (!data.is_reserved || adminReserved) { %>crm-editable-enabled used-for-toggle<% } %>">
             <% if (!data.used_for.length) { %><i class="crm-i fa-pencil crm-editable-placeholder"></i><% } %>
             <% _.forEach(data.used_for, function(key, i) { %><%- (i ? ', ' : '') + usedFor[key] %><% }) %>
           </span>