CRM-19494 Refactoring of permission code #9229
Conversation
|
@systopia can you please fix the style errors found here https://test.civicrm.org/job/CiviCRM-Core-PR/12167/checkstyleResult/new/ |
@seamuslee001 done. thanks. |
| // empty contact lists would cause trouble in the SQL. And be pointless. | ||
| return $result_set; | ||
| } | ||
| $contact_id_list = implode(',', $contact_ids); |
There was a problem hiding this comment.
trivial point - but this might be better after the 'early return' for 'edit all contacts' etc
|
|
||
| // get logged in user | ||
| $session = CRM_Core_Session::singleton(); | ||
| $contactID = (int) $session->get('userID'); |
There was a problem hiding this comment.
Preferred function here is $contactID = CRM_Core_Session::getLoggedInUser()
it saves a whole line!
There was a problem hiding this comment.
will do (found out it's ::getLoggedInContactID(), just in case anybody wonders)
| $tables = array(); | ||
| $whereTables = array(); | ||
| // get logged in user | ||
| $session = CRM_Core_Session::singleton(); |
There was a problem hiding this comment.
ditto about the preferred function - saves 3 lines here as the function name should be clear enough to justify dropping the comment line :-)
| $contactID = (int) $session->get('userID'); | ||
|
|
||
| // first: check if contact is trying to view own contact | ||
| if ($type == CRM_Core_Permission::VIEW && CRM_Core_Permission::check('view my contact') |
There was a problem hiding this comment.
DIdn't we decide this should be
$type == CRM_Core_Permission::VIEW && (CRM_Core_Permission::check('view my contact') || CRM_Core_Permission::check('edit my contact'))
There was a problem hiding this comment.
I decided to not do that for 'view/edit my contact', there might be scenarios where people should be able to e.g. set a flag to their contact without seeing all data....
| @@ -60,13 +158,16 @@ public static function allow($id, $type = CRM_Core_Permission::VIEW) { | |||
| return TRUE; | |||
| } | |||
|
|
|||
| //check permission based on relationship, CRM-2963 | |||
| // check permission based on relationship, CRM-2963 | |||
There was a problem hiding this comment.
While we are being fussy it's supposed to be a capital letter & a full stop at the end....
There was a problem hiding this comment.
Oops, I think I don't comply with that in any comment. Ignore it?
There was a problem hiding this comment.
well I can't standover you & deny you coffee now so we will have to :-)
| @@ -99,7 +202,8 @@ public static function cache($userID, $type = CRM_Core_Permission::VIEW, $force | |||
| } | |||
|
|
|||
| if (!$force) { | |||
| if (!empty($_processed[$userID])) { | |||
| // skip if already calculated | |||
| if (!empty($_processed[$type][$userID])) { | |||
There was a problem hiding this comment.
It might be better to do a select from the table to check there are entries for the user id - I'm worried the cache could be truncated from out of under someone
There was a problem hiding this comment.
Good point, but that might have a big impact on performance. Maybe we should investigate how often it's called...
There was a problem hiding this comment.
won't change now, since this is also the existing approach. But I added a FIXME comment
| @@ -125,6 +229,7 @@ public static function cache($userID, $type = CRM_Core_Permission::VIEW, $force | |||
|
|
|||
| $from = CRM_Contact_BAO_Query::fromClause($whereTables); | |||
|
|
|||
| // FIXME: don't use 'ON DUPLICATE KEY UPDATE' | |||
There was a problem hiding this comment.
I think I should push a fix for this up & get it in the same release
| // get the currently logged in user | ||
| $config = CRM_Core_Config::singleton(); | ||
| $session = CRM_Core_Session::singleton(); | ||
| $contactID = (int) $session->get('userID'); |
There was a problem hiding this comment.
ditto about using getLoggedInUser
| } | ||
|
|
||
| // get the currently logged in user | ||
| $config = CRM_Core_Config::singleton(); |
There was a problem hiding this comment.
If you are only using this for one purpose you can also do
$useSecondDegreeUserPermissions = CRM_Core_Config::singleton()->secondDegRelPermissions
| } | ||
|
|
||
| $queries[] = " | ||
| SELECT DISTINCT(second_degree_relationship.contact_id_{$second_direction['to']}) AS contact_id |
There was a problem hiding this comment.
I might be wrong but I don't think you need distinct here because the UNION will distinct it all
There was a problem hiding this comment.
removed SELECT DISTINCT and used UNION DISTINCT, although that was the default for UNION anyway
| while ($result->fetch()) { | ||
| $result_set[(int) $result->contact_id] = TRUE; | ||
| } | ||
| $keys = array_keys($result_set); |
There was a problem hiding this comment.
This line seems redundant
| $query = "(" . implode(")\nUNION (", $queries) . ")"; | ||
| $result = CRM_Core_DAO::executeQuery($query); | ||
| while ($result->fetch()) { | ||
| $result_set[(int) $result->contact_id] = TRUE; |
There was a problem hiding this comment.
I'd be tempted to skip this loop & do
$query = "SELECT GROUP_CONCAT contact_id FROM ( $query ) as q";
return explode(',', CRM_Core_DAO::singleValueQuery($query));
My guess is more work on mysql & less on php is better
There was a problem hiding this comment.
might be dangerous for large sets of contacts...
| $keys = array_keys($result_set); | ||
| return array_keys($result_set); | ||
| } | ||
|
|
There was a problem hiding this comment.
Why didn't jenkins bite you on the double line
| @@ -33,6 +33,96 @@ | |||
| class CRM_Contact_BAO_Contact_Permission { | |||
|
|
|||
| /** | |||
| * Check which of the given contact IDs the logged in user | |||
| * has permissions for the operation type according | |||
There was a problem hiding this comment.
According to what ... the suspense
| // create test contacts | ||
| $contacts = $this->createScenarioPlain(); | ||
|
|
||
| // test WITH all permissions |
There was a problem hiding this comment.
Might need to state that NULL has that effect
| $this->assertEquals($result, $contacts, "Contacts should be viewable when 'view all contacts'"); | ||
|
|
||
| // test WITH explicit permission | ||
| CRM_Core_Config::singleton()->userPermissionClass->permissions = array('view all contacts'); |
There was a problem hiding this comment.
Add a check for edit all contacts can view all contacts
- style - extra test - documentation - FIXME remarks
|
Closing this in favor of #9246 |
Contains:
CRM_Contact_BAO_Contact_PermissionWith the fix for CRM-12645 this should replace #9193.