From 6994bf432da6a3c231a92e10924cf60d1c3c1a04 Mon Sep 17 00:00:00 2001 From: Matthew Wire Date: Mon, 24 Aug 2020 11:48:35 +0100 Subject: [PATCH] Restrict Order API to pending statuses for participant --- CRM/Event/BAO/ParticipantStatusType.php | 22 ++++++++++++++++++++++ api/v3/Order.php | 7 ++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/CRM/Event/BAO/ParticipantStatusType.php b/CRM/Event/BAO/ParticipantStatusType.php index 9db56d820b59..33bccd12fc48 100644 --- a/CRM/Event/BAO/ParticipantStatusType.php +++ b/CRM/Event/BAO/ParticipantStatusType.php @@ -99,6 +99,28 @@ public static function setIsActive($id, $isActive) { return CRM_Core_DAO::setFieldValue('CRM_Event_BAO_ParticipantStatusType', $id, 'is_active', $isActive); } + /** + * Checks if status_id (id or string (eg. 5 or "Pending from pay later") is allowed for class + * + * @param int|string $status_id + * @param string $class + * + * @return bool + */ + public static function getIsValidStatusForClass($status_id, $class = 'Pending') { + $classParticipantStatuses = civicrm_api3('ParticipantStatusType', 'get', [ + 'class' => $class, + 'is_active' => 1, + ])['values']; + foreach ($classParticipantStatuses as $id => $detail) { + $allowedParticipantStatuses[$id] = $detail['name']; + } + if (in_array($status_id,$allowedParticipantStatuses) || array_key_exists($status_id, $allowedParticipantStatuses)) { + return TRUE; + } + return FALSE; + } + /** * @param array $params * diff --git a/api/v3/Order.php b/api/v3/Order.php index 4014f9029ebe..f5415c0570f2 100644 --- a/api/v3/Order.php +++ b/api/v3/Order.php @@ -92,7 +92,12 @@ function civicrm_api3_order_create($params) { if ($entityParams) { switch ($entity) { case 'participant': - $entityParams['status_id'] = $entityParams['participant_status_id'] ?? 'Pending from incomplete transaction'; + if (isset($entityParams['participant_status_id']) + && (!CRM_Event_BAO_ParticipantStatusType::getIsValidStatusForClass($entityParams['participant_status_id'], 'Pending'))) { + throw new CiviCRM_API3_Exception('Creating a participant via the Order API with a non "pending" status is not supported'); + } + $entityParams['participant_status_id'] = $entityParams['participant_status_id'] ?? 'Pending from incomplete transaction'; + $entityParams['status_id'] = $entityParams['participant_status_id']; break; case 'membership':