Merge pull request civicrm#18 from Edzelopez/CIVI-28

CIVI-28 Added check for lineitems edit and delete
Edzelopez · Mar 20, 2015 · 9ca452e · 9ca452e
2 parents 4027a75 + e8105da
commit 9ca452e
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 11 deletions.
diff --git a/CRM/Contribute/Form/Contribution.php b/CRM/Contribute/Form/Contribution.php
@@ -493,13 +493,7 @@ public function buildQuickForm() {
     // FIXME: This probably needs to be done in preprocess
     if ($this->_action & CRM_Core_Action::UPDATE && CRM_Utils_Array::value('financial_type_id', $this->_values)) {
       $financialTypeID = CRM_Contribute_PseudoConstant::financialType($this->_values['financial_type_id']);
-      $lineItems = CRM_Price_BAO_LineItem::getLineItemsByContributionID($this->_id);
-      foreach ($lineItems as $items) { 
-        if (!CRM_Core_Permission::check('edit contributions of type ' . CRM_Contribute_PseudoConstant::financialType($items['financial_type_id']))) {
-          CRM_Core_Error::fatal(ts('You do not have permission to access this page.'));
-          break;
-        }
-      }
+      CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($this->_id, 'edit');
       if (!CRM_Core_Permission::check('edit contributions of type ' . $financialTypeID)) {
         CRM_Core_Error::fatal(ts('You do not have permission to access this page.'));
       }

diff --git a/CRM/Contribute/Form/ContributionView.php b/CRM/Contribute/Form/ContributionView.php
@@ -54,6 +54,13 @@ public function preProcess() {
     CRM_Contribute_BAO_Contribution::getValues($params, $values, $ids);
     if ($this->_action & CRM_Core_Action::VIEW) {
       $financialTypeID = CRM_Contribute_PseudoConstant::financialType($values['financial_type_id']);
+      CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($id, 'view');
+      if (CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($id, 'edit', FALSE)) {
+        $this->assign('canEdit', TRUE);
+      }
+      if (CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($id, 'delete', FALSE)) {
+        $this->assign('canDelete', TRUE);
+      }
       if (!CRM_Core_Permission::check('view contributions of type ' . $financialTypeID)) {
         CRM_Core_Error::fatal(ts('You do not have permission to access this page.'));
       }

diff --git a/CRM/Financial/BAO/FinancialType.php b/CRM/Financial/BAO/FinancialType.php
@@ -225,4 +225,20 @@ public static function buildPermissionedClause(&$whereClauses) {
     }
     $whereClauses[] = ' financial_type_id IN (' . implode(',' , $ids) .')';
   }
+
+  public static function checkPermissionedLineItems($id, $op, $force = TRUE) {
+    $lineItems = CRM_Price_BAO_LineItem::getLineItemsByContributionID($id);
+    foreach ($lineItems as $items) { 
+      if (!CRM_Core_Permission::check($op . ' contributions of type ' . CRM_Contribute_PseudoConstant::financialType($items['financial_type_id']))) {
+        if ($force) {
+          CRM_Core_Error::fatal(ts('You do not have permission to access this page.'));
+          break;
+        }
+        return FALSE;
+      }
+      else {
+        return TRUE;
+      }
+    }
+  }
 }
diff --git a/templates/CRM/Contribute/Form/ContributionView.tpl b/templates/CRM/Contribute/Form/ContributionView.tpl
@@ -26,7 +26,7 @@
 <div class="crm-block crm-content-block crm-contribution-view-form-block">
 <div class="action-link">
   <div class="crm-submit-buttons">
-    {if call_user_func(array('CRM_Core_Permission','check'), 'edit contributions') && call_user_func(array('CRM_Core_Permission', 'check'), "edit contributions of type $financial_type")}
+    {if call_user_func(array('CRM_Core_Permission','check'), 'edit contributions') && call_user_func(array('CRM_Core_Permission', 'check'), "edit contributions of type $financial_type") && $canEdit}
       {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=update&context=$context"}
       {if ( $context eq 'fulltext' || $context eq 'search' ) && $searchKey}
         {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=update&context=$context&key=$searchKey"}
@@ -35,7 +35,7 @@
           <div class="icon ui-icon-pencil"></div>{ts}Edit{/ts}</span>
       </a>
     {/if}
-    {if call_user_func(array('CRM_Core_Permission','check'), 'delete in CiviContribute') && call_user_func(array('CRM_Core_Permission', 'check'), "delete contributions of type $financial_type")}
+    {if call_user_func(array('CRM_Core_Permission','check'), 'delete in CiviContribute') && call_user_func(array('CRM_Core_Permission', 'check'), "delete contributions of type $financial_type") && $canDelete}
       {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=delete&context=$context"}
       {if ( $context eq 'fulltext' || $context eq 'search' ) && $searchKey}
         {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=delete&context=$context&key=$searchKey"}
@@ -309,15 +309,15 @@
 {/if}
 
 <div class="crm-submit-buttons">
-  {if call_user_func(array('CRM_Core_Permission','check'), 'edit contributions') && call_user_func(array('CRM_Core_Permission', 'check'), "edit contributions of type $financial_type")}
+  {if call_user_func(array('CRM_Core_Permission','check'), 'edit contributions') && call_user_func(array('CRM_Core_Permission', 'check'), "edit contributions of type $financial_type") && $canEdit}
     {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=update&context=$context"}
     {if ( $context eq 'fulltext' || $context eq 'search' ) && $searchKey}
       {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=update&context=$context&key=$searchKey"}
     {/if}
     <a class="button" href="{crmURL p='civicrm/contact/view/contribution' q=$urlParams}" accesskey="e"><span><div
           class="icon ui-icon-pencil"></div>{ts}Edit{/ts}</span></a>
   {/if}
-  {if call_user_func(array('CRM_Core_Permission','check'), 'delete in CiviContribute') && call_user_func(array('CRM_Core_Permission', 'check'), "delete contributions of type $financial_type")}
+  {if call_user_func(array('CRM_Core_Permission','check'), 'delete in CiviContribute') && call_user_func(array('CRM_Core_Permission', 'check'), "delete contributions of type $financial_type") && $canDelete}
     {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=delete&context=$context"}
     {if ( $context eq 'fulltext' || $context eq 'search' ) && $searchKey}
       {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=delete&context=$context&key=$searchKey"}