Skip to content

Commit

Permalink
Merge pull request #12424 from alifrumin/editOwnEvents
Browse files Browse the repository at this point in the history 
 Ensure users with the perm "CiviEvent: access CiviEvent " can edit events they have created.
  • Loading branch information
@eileenmcnaughton
eileenmcnaughton authored Aug 16, 2018
2 parents 5945b4e + 1580a51 commit c69852b
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 13 deletions.
24 changes: 11 additions & 13 deletions CRM/Event/BAO/Event.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2064,9 +2064,7 @@ public static function checkRegistration($params) {
* the permission that the user has (or null)
*/
public static function checkPermission($eventId = NULL, $type = CRM_Core_Permission::VIEW) {
static $permissions = NULL;

if (empty($permissions)) {
if (!isset(Civi::$statics[__CLASS__]['permissions'])) {
$params = array(
'check_permissions' => 1,
'return' => 'title',
Expand All @@ -2085,19 +2083,19 @@ public static function checkPermission($eventId = NULL, $type = CRM_Core_Permiss
// Search again, but only events created by the user.
$params['created_id'] = 'user_contact_id';
$result = civicrm_api3('Event', 'get', $params);
$createdEvents = CRM_Utils_Array::collect('title', $result['values']);
$createdEvents = array_keys($result['values']);

// Note: for a multisite setup, a user with edit all events, can edit all events
// including those from other sites
if (CRM_Core_Permission::check('edit all events')) {
$permissions[CRM_Core_Permission::EDIT] = array_keys($allEvents);
Civi::$statics[__CLASS__]['permissions'][CRM_Core_Permission::EDIT] = array_keys($allEvents);
}
else {
$permissions[CRM_Core_Permission::EDIT] = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_event', $allEvents, $createdEvents);
Civi::$statics[__CLASS__]['permissions'][CRM_Core_Permission::EDIT] = CRM_ACL_API::group(CRM_Core_Permission::EDIT, NULL, 'civicrm_event', $allEvents, $createdEvents);
}

if (CRM_Core_Permission::check('edit all events')) {
$permissions[CRM_Core_Permission::VIEW] = array_keys($allEvents);
Civi::$statics[__CLASS__]['permissions'][CRM_Core_Permission::VIEW] = array_keys($allEvents);
}
else {
if (CRM_Core_Permission::check('access CiviEvent') &&
Expand All @@ -2108,25 +2106,25 @@ public static function checkPermission($eventId = NULL, $type = CRM_Core_Permiss
// at the same time also allow any hook to override if needed.
$createdEvents = array_keys($allEvents);
}
$permissions[CRM_Core_Permission::VIEW] = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_event', $allEvents, $createdEvents);
Civi::$statics[__CLASS__]['permissions'][CRM_Core_Permission::VIEW] = CRM_ACL_API::group(CRM_Core_Permission::VIEW, NULL, 'civicrm_event', $allEvents, $createdEvents);
}

$permissions[CRM_Core_Permission::DELETE] = array();
Civi::$statics[__CLASS__]['permissions'][CRM_Core_Permission::DELETE] = array();
if (CRM_Core_Permission::check('delete in CiviEvent')) {
// Note: we want to restrict the scope of delete permission to
// events that are editable/viewable (usecase multisite).
// We can remove array_intersect once we have ACL support for delete functionality.
$permissions[CRM_Core_Permission::DELETE] = array_intersect($permissions[CRM_Core_Permission::EDIT],
$permissions[CRM_Core_Permission::VIEW]
Civi::$statics[__CLASS__]['permissions'][CRM_Core_Permission::DELETE] = array_intersect(Civi::$statics[__CLASS__]['permissions'][CRM_Core_Permission::EDIT],
Civi::$statics[__CLASS__]['permissions'][CRM_Core_Permission::VIEW]
);
}
}

if ($eventId) {
return in_array($eventId, $permissions[$type]) ? TRUE : FALSE;
return in_array($eventId, Civi::$statics[__CLASS__]['permissions'][$type]) ? TRUE : FALSE;
}

return $permissions;
return Civi::$statics[__CLASS__]['permissions'];
}

/**
Expand Down
50 changes: 50 additions & 0 deletions tests/phpunit/CRM/Event/BAO/EventPermissionsTest.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
<?php
/*
+--------------------------------------------------------------------+
| CiviCRM version 5 |
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC (c) 2004-2018 |
+--------------------------------------------------------------------+
| This file is a part of CiviCRM. |
| |
| CiviCRM is free software; you can copy, modify, and distribute it |
| under the terms of the GNU Affero General Public License |
| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
| |
| CiviCRM is distributed in the hope that it will be useful, but |
| WITHOUT ANY WARRANTY; without even the implied warranty of |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
| See the GNU Affero General Public License for more details. |
| |
| You should have received a copy of the GNU Affero General Public |
| License and the CiviCRM Licensing Exception along |
| with this program; if not, contact CiviCRM LLC |
| at info[AT]civicrm[DOT]org. If you have questions about the |
| GNU Affero General Public License or the licensing of CiviCRM, |
| see the CiviCRM license FAQ at http://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/

/**
* Class CRM_Event_BAO_EventPermissionsTest
* @group headless
*/
class CRM_Event_BAO_EventPermissionsTest extends CiviUnitTestCase {

public function setUp() {
parent::setUp();
$this->_contactId = $this->createLoggedInUser();
$event = $this->eventCreate(array(
'created_id' => $this->_contactId,
));
$this->_eventId = $event['id'];
}

public function testEditOwnEvent() {
CRM_Core_Config::singleton()->userPermissionTemp = ['access civievent', 'access CiviCRM', 'view event info'];
unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
$permissions = CRM_Event_BAO_Event::checkPermission($this->_eventId, CRM_Core_Permission::EDIT);
$this->assertTrue($permissions);
}

}

0 comments on commit c69852b

Please sign in to comment.