CRM: Ensuring users assigned to contacts linked to transactions, invoices, quotes can view those objects

projects/plugins/crm/changelog/fix-crm-assign-ownership-viewobjects

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Permissions: Allowing users assigned to contacts to view linked objects even if assign ownership is unchecked

projects/plugins/crm/includes/ZeroBSCRM.Edit.php

@@ -164,41 +164,60 @@ public function preChecks(){
 
         global $zbs;
 
-        // only do this stuff v3.0+
-        if ($zbs->isDAL3()){
-
           $is_malformed_obj = false;
 
           if (is_array($this->obj) && isset($this->obj['owner'])){
-            $objOwner = (int)$this->obj['owner'];
+				$obj_owner = (int) $this->obj['owner'];
+
+				// Transactions can have a contact or company assigned, and quotes just a contact. This covers checking owners for both.
+			if ( isset( $this->obj['contact'][0]['owner'] ) ) {
+					$obj_owner = (int) $this->obj['contact'][0]['owner'];
+
+			} elseif ( isset( $this->obj['company'][0]['owner'] ) ) {
+					$obj_owner = (int) $this->obj['company'][0]['owner'];
+				// phpcs:disable Generic.WhiteSpace.ScopeIndent.IncorrectExact,Generic.WhiteSpace.ScopeIndent.Incorrect -- this sniff is incorrectly reporting spacing issues.
+				}
+
+				// This covers checking owners for assigned contacts or companies in invoices.
+				if ( $this->objTypeID === ZBS_TYPE_INVOICE ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+					$data = zeroBSCRM_invoicing_getInvoiceData( $this->objID ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+					if ( ! empty( $data['invoiceObj']['contact'] ) ) {
+						$obj_owner = (int) $data['invoiceObj']['contact'][0]['owner'];
+					} elseif ( ! empty( $data['invoiceObj']['contact'] ) ) {
+						$obj_owner = (int) $data['invoiceObj']['company'][0]['owner'];
+					}
+				}
           } else {
+			// phpcs:enable Generic.WhiteSpace.ScopeIndent.IncorrectExact,Generic.WhiteSpace.ScopeIndent.Incorrect
             // if $this->obj is not an array, somehow it's not been loaded properly (probably perms)
             // get owner info anyway
             $is_malformed_obj = true;
-            $objOwner = $zbs->DAL->getObjectOwner(array(
-              'objID'           => $this->objID,
-              'objTypeID'       => $this->objTypeID
-            ));
+				$obj_owner    = $zbs->DAL->getObjectOwner( // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+					array(
+						'objID'     => $this->objID, // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+						'objTypeID' => $this->objTypeID, // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+					)
+				);
           }
           // get current user
-          $currentUserID = get_current_user_id();
+			$current_user_id = get_current_user_id();
 
-          if ($objOwner > 0 && $objOwner != $currentUserID){
-            // not current user
-            // does user have perms to edit?
-            $canEditAllContacts = current_user_can('admin_zerobs_customers') && $zbs->settings->get('perusercustomers') == 0;
-            $canGiveOwnership = $zbs->settings->get('usercangiveownership') == 1;
-            $canChangeOwner = ($canGiveOwnership || current_user_can('administrator') || $canEditAllContacts);
+		if ( $obj_owner > 0 && $obj_owner != $current_user_id ) { // phpcs:ignore Universal.Operators.StrictComparisons.LooseNotEqual -- as below, there is the chance the numbers could be strings here, as expected elsewhere in the plugin.
+				// not current user
+				// does user have perms to edit?
+				$can_edit_all_contacts = current_user_can( 'admin_zerobs_customers' ) && $zbs->settings->get( 'perusercustomers' ) == 0; // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual,WordPress.WP.Capabilities.Unknown  -- this was defined in ZeroBSCRM.Permissions.php.
+				$can_give_ownership    = $zbs->settings->get( 'usercangiveownership' ) == 1; // phpcs:ignore Universal.Operators.StrictComparisons.LooseEqual -- also above, there is the chance the numbers could be strings here, as expected elsewhere in the plugin.
+				$can_change_owner      = ( $can_give_ownership || current_user_can( 'manage_options' ) || $can_edit_all_contacts );
 
-            if (!$canChangeOwner){
+			if ( ! $can_change_owner ) {
 
-              // owners can't be changed with user's perms, so denied msg
-              $this->preCheckFail( sprintf( __( 'You do not have permission to edit this %s.', 'zero-bs-crm' ), $zbs->DAL->typeStr( $this->objTypeID ) ) );
-              return false;
+					// owners can't be changed with user's perms, so denied msg
+					// Translators: %s is the object type (for example transaction, quote, invoice).
+					$this->preCheckFail( sprintf( __( 'You do not have permission to edit this %s.', 'zero-bs-crm' ), $zbs->DAL->typeStr( $this->objTypeID ) ) ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+					return false;
 
             }
             if ( !$this->has_permissions_to_edit ){
-
               // user does not have a role which can edit this object type
               $this->preCheckFail( sprintf( __( 'You do not have permission to edit this %s.', 'zero-bs-crm' ), $zbs->DAL->typeStr( $this->objTypeID ) ) );
               return false;
@@ -212,8 +231,6 @@ public function preChecks(){
 
           }
 
-        }
-
         //load if is legit
         return true;
     }