From ade33c44c37e55678703b4e9a852fc11ec4c93b9 Mon Sep 17 00:00:00 2001 From: Edsel Date: Thu, 26 Mar 2015 18:09:05 +0530 Subject: [PATCH] CIVI-28 Added permission check for online events --- CRM/Event/Form/Registration.php | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/CRM/Event/Form/Registration.php b/CRM/Event/Form/Registration.php index 7cf1cfbddbdf..d70b3f5ef99d 100644 --- a/CRM/Event/Form/Registration.php +++ b/CRM/Event/Form/Registration.php @@ -240,6 +240,12 @@ public function preProcess() { //retrieve event information $params = array('id' => $this->_eventId); CRM_Event_BAO_Event::retrieve($params, $this->_values['event']); + // check for is_monetary status + $isMonetary = CRM_Utils_Array::value('is_monetary', $this->_values['event']); + // check for ability to add contributions of type + if ($isMonetary && !CRM_Core_Permission::check('add contributions of type ' . CRM_Contribute_PseudoConstant::financialType($this->_values['event']['financial_type_id']))) { + CRM_Core_Error::fatal(ts('You do not have permission to access this page.')); + } $this->checkValidEvent($infoUrl); // get the participant values, CRM-4320 @@ -285,8 +291,6 @@ public function preProcess() { $participant_role = CRM_Core_OptionGroup::values('participant_role'); $this->_values['event']['participant_role'] = $participant_role["{$this->_values['event']['default_role_id']}"]; } - // check for is_monetary status - $isMonetary = CRM_Utils_Array::value('is_monetary', $this->_values['event']); $isPayLater = CRM_Core_DAO::getFieldValue('CRM_Event_DAO_Event', $this->_eventId, 'is_pay_later'); //check for variour combination for paylater, payment //process with paid event. @@ -712,6 +716,15 @@ public static function initEventFee(&$form, $eventID) { else { $isPaidEvent = CRM_Utils_Array::value('is_monetary', $form->_values['event']); } + if (!empty($form->_values['fee'])) { + foreach ($form->_values['fee'] as $fees) { + foreach ($fees['options'] as $options) { + if (!CRM_Core_Permission::check('add contributions of type ' . CRM_Contribute_PseudoConstant::financialType($options['financial_type_id']))) { + CRM_Core_Error::fatal(ts('You do not have permission to access this page.')); + } + } + } + } if ($isPaidEvent && empty($form->_values['fee'])) { if (CRM_Utils_System::getClassName($form) != 'CRM_Event_Form_Participant') { CRM_Core_Error::fatal(ts('No Fee Level(s) or Price Set is configured for this event.
Click CiviEvent >> Manage Event >> Configure >> Event Fees to configure the Fee Level(s) or Price Set for this event.', array(1 => CRM_Utils_System::url('civicrm/event/manage/fee', 'reset=1&action=update&id=' . $form->_eventId))));