Merge pull request civicrm#24 from Edzelopez/CIVI-28

CIVI-28 Added permission check for online events
Edzelopez · Mar 26, 2015 · cf5bfe7 · cf5bfe7
2 parents 0c90deb + ade33c4
commit cf5bfe7
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/CRM/Event/Form/Registration.php b/CRM/Event/Form/Registration.php
@@ -240,6 +240,12 @@ public function preProcess() {
       //retrieve event information
       $params = array('id' => $this->_eventId);
       CRM_Event_BAO_Event::retrieve($params, $this->_values['event']);
+      // check for is_monetary status
+      $isMonetary = CRM_Utils_Array::value('is_monetary', $this->_values['event']);
+      // check for ability to add contributions of type
+      if ($isMonetary && !CRM_Core_Permission::check('add contributions of type ' . CRM_Contribute_PseudoConstant::financialType($this->_values['event']['financial_type_id']))) {
+        CRM_Core_Error::fatal(ts('You do not have permission to access this page.'));
+      }
 
       $this->checkValidEvent($infoUrl);
       // get the participant values, CRM-4320
@@ -285,8 +291,6 @@ public function preProcess() {
         $participant_role = CRM_Core_OptionGroup::values('participant_role');
         $this->_values['event']['participant_role'] = $participant_role["{$this->_values['event']['default_role_id']}"];
       }
-      // check for is_monetary status
-      $isMonetary = CRM_Utils_Array::value('is_monetary', $this->_values['event']);
       $isPayLater = CRM_Core_DAO::getFieldValue('CRM_Event_DAO_Event', $this->_eventId, 'is_pay_later');
       //check for variour combination for paylater, payment
       //process with paid event.
@@ -712,6 +716,15 @@ public static function initEventFee(&$form, $eventID) {
     else {
       $isPaidEvent = CRM_Utils_Array::value('is_monetary', $form->_values['event']);
     }
+    if (!empty($form->_values['fee'])) {
+      foreach ($form->_values['fee'] as $fees) {
+        foreach ($fees['options'] as $options) {
+          if (!CRM_Core_Permission::check('add contributions of type ' . CRM_Contribute_PseudoConstant::financialType($options['financial_type_id']))) {
+            CRM_Core_Error::fatal(ts('You do not have permission to access this page.'));
+          }
+        }
+      }
+    }
     if ($isPaidEvent && empty($form->_values['fee'])) {
       if (CRM_Utils_System::getClassName($form) != 'CRM_Event_Form_Participant') {
         CRM_Core_Error::fatal(ts('No Fee Level(s) or Price Set is configured for this event.<br />Click <a href=\'%1\'>CiviEvent >> Manage Event >> Configure >> Event Fees</a> to configure the Fee Level(s) or Price Set for this event.', array(1 => CRM_Utils_System::url('civicrm/event/manage/fee', 'reset=1&action=update&id=' . $form->_eventId))));