CRM-20910: Check permission param while retrieving participants from api

Jitendra Purohit · Jitendra Purohit · commit 9ae90c544644 · 2017-07-19T14:02:38.000+05:30
diff --git a/CRM/Contact/BAO/Query.php b/CRM/Contact/BAO/Query.php
@@ -6121,7 +6121,8 @@ public static function buildQillForFieldValue(
       $pseudoOptions = CRM_Core_PseudoConstant::worldRegion();
     }
     elseif ($daoName == 'CRM_Event_DAO_Event' && $fieldName == 'id') {
-      $pseudoOptions = CRM_Event_BAO_Event::getEvents(0, $fieldValue, TRUE, TRUE, TRUE);
+      $checkPermission = CRM_Utils_Array::value('check_permission', $pseudoExtraParam, TRUE);
+      $pseudoOptions = CRM_Event_BAO_Event::getEvents(0, $fieldValue, TRUE, $checkPermission, TRUE);
     }
     elseif ($fieldName == 'contribution_product_id') {
       $pseudoOptions = CRM_Contribute_PseudoConstant::products();
diff --git a/CRM/Event/BAO/Query.php b/CRM/Event/BAO/Query.php
@@ -253,6 +253,10 @@ public static function where(&$query) {
    * @param $query
    */
   public static function whereClauseSingle(&$values, &$query) {
+    $checkPermission = TRUE;
+    if (!empty($query->_skipPermission)) {
+      $checkPermission = FALSE;
+    }
     list($name, $op, $value, $grouping, $wildcard) = $values;
     $fields = array_merge(CRM_Event_BAO_Event::fields(), CRM_Event_BAO_Participant::exportableFields());
 
@@ -400,7 +404,7 @@ public static function whereClauseSingle(&$values, &$query) {
         }
         $query->_where[$grouping][] = CRM_Contact_BAO_Query::buildClause("$tableName.$name", $op, $value, $dataType);
 
-        list($op, $value) = CRM_Contact_BAO_Query::buildQillForFieldValue('CRM_Event_DAO_Participant', $name, $value, $op);
+        list($op, $value) = CRM_Contact_BAO_Query::buildQillForFieldValue('CRM_Event_DAO_Participant', $name, $value, $op, array('check_permission' => $checkPermission));
         $query->_qill[$grouping][] = ts('%1 %2 %3', array(1 => $fields[$qillName]['title'], 2 => $op, 3 => $value));
         $query->_tables['civicrm_participant'] = $query->_whereTables['civicrm_participant'] = 1;
         return;
@@ -425,7 +429,7 @@ public static function whereClauseSingle(&$values, &$query) {
           $query->_where[$grouping][] = CRM_Contact_BAO_Query::buildClause("$tableName.$name", $op, $value, $dataType);
         }
 
-        list($op, $value) = CRM_Contact_BAO_Query::buildQillForFieldValue('CRM_Event_DAO_Participant', $name, $value, $op);
+        list($op, $value) = CRM_Contact_BAO_Query::buildQillForFieldValue('CRM_Event_DAO_Participant', $name, $value, $op, array('check_permission' => $checkPermission));
         $query->_qill[$grouping][] = ts('%1 %2 %3', array(1 => $fields[$qillName]['title'], 2 => $op, 3 => $value));
         $query->_tables['civicrm_participant'] = $query->_whereTables['civicrm_participant'] = 1;
         return;
@@ -461,7 +465,7 @@ public static function whereClauseSingle(&$values, &$query) {
         if (!array_key_exists($qillName, $fields)) {
           break;
         }
-        list($op, $value) = CRM_Contact_BAO_Query::buildQillForFieldValue('CRM_Event_DAO_Event', $name, $value, $op);
+        list($op, $value) = CRM_Contact_BAO_Query::buildQillForFieldValue('CRM_Event_DAO_Event', $name, $value, $op, array('check_permission' => $checkPermission));
         $query->_qill[$grouping][] = ts('%1 %2 %3', array(1 => $fields[$qillName]['title'], 2 => $op, 3 => $value));
         return;
     }
diff --git a/tests/phpunit/api/v3/ParticipantTest.php b/tests/phpunit/api/v3/ParticipantTest.php
@@ -206,6 +206,30 @@ public function testGetParticipantIdOnly() {
 
   }
 
+  /**
+   * Test permission for participant get.
+   */
+  public function testGetParticipantWithPermission() {
+    $config = CRM_Core_Config::singleton();
+    $config->userPermissionClass->permissions = array();
+    $params = array(
+      'event_id' => $this->_eventID,
+      'check_permissions' => TRUE,
+      'return' => array(
+        'participant_id',
+        'event_id',
+        'participant_register_date',
+        'participant_source',
+      ),
+    );
+    $this->callAPIFailure('participant', 'get', $params);
+
+    $params['check_permissions'] = FALSE;
+    $result = $this->callAPISuccess('participant', 'get', $params);
+    $this->assertEquals($result['is_error'], 0);
+  }
+
+
   /**
    * Check with params id.
    */

Original file line number	Diff line number	Diff line change
`@@ -6121,7 +6121,8 @@ public static function buildQillForFieldValue(`
`6121`	`6121`	`$pseudoOptions = CRM_Core_PseudoConstant::worldRegion();`
`6122`	`6122`	`}`
`6123`	`6123`	`elseif ($daoName == 'CRM_Event_DAO_Event' && $fieldName == 'id') {`
`6124`		`- $pseudoOptions = CRM_Event_BAO_Event::getEvents(0, $fieldValue, TRUE, TRUE, TRUE);`
	`6124`	`+ $checkPermission = CRM_Utils_Array::value('check_permission', $pseudoExtraParam, TRUE);`
	`6125`	`+ $pseudoOptions = CRM_Event_BAO_Event::getEvents(0, $fieldValue, TRUE, $checkPermission, TRUE);`
`6125`	`6126`	`}`
`6126`	`6127`	`elseif ($fieldName == 'contribution_product_id') {`
`6127`	`6128`	`$pseudoOptions = CRM_Contribute_PseudoConstant::products();`