From c76ec9fcf323b7b3d5ef9d7f462f0de3ae43bfae Mon Sep 17 00:00:00 2001
From: William Mortada <williammortada@thirdsectordesign.org>
Date: Wed, 12 Oct 2022 11:06:15 +0100
Subject: [PATCH] Fix permission for SubscriptionHistory

---
 Civi/Api4/SubscriptionHistory.php             | 11 ++++++
 .../api/v4/Entity/SubscriptionHistoryTest.php | 39 +++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/Civi/Api4/SubscriptionHistory.php b/Civi/Api4/SubscriptionHistory.php
index fd75e83ef58f..364fc44c3a21 100644
--- a/Civi/Api4/SubscriptionHistory.php
+++ b/Civi/Api4/SubscriptionHistory.php
@@ -19,4 +19,15 @@
  */
 class SubscriptionHistory extends Generic\DAOEntity {
 
+  /**
+   * @see \Civi\Api4\Generic\AbstractEntity::permissions()
+   * @return array
+   */
+  public static function permissions() {
+    // get permission is managed by ACLs
+    return [
+      'get' => [],
+    ];
+  }
+
 }
diff --git a/tests/phpunit/api/v4/Entity/SubscriptionHistoryTest.php b/tests/phpunit/api/v4/Entity/SubscriptionHistoryTest.php
index 94cb3aeb5f3a..47d71781b367 100644
--- a/tests/phpunit/api/v4/Entity/SubscriptionHistoryTest.php
+++ b/tests/phpunit/api/v4/Entity/SubscriptionHistoryTest.php
@@ -62,4 +62,43 @@ public function testGet() {
     $this->assertLessThanOrEqual(time(), strtotime($historyRemoved->single()['date']));
   }
 
+  public function testGetPermissions() {
+    $this->createLoggedInUser();
+
+    $contact = $this->createTestRecord('Contact');
+    $group = $this->createTestRecord('Group');
+    $groupContact = $this->createTestRecord('GroupContact', [
+      'group_id' => $group['id'],
+      'contact_id' => $contact['id'],
+    ]);
+
+    \CRM_Core_Config::singleton()->userPermissionClass->permissions = [
+      'access CiviCRM',
+      'view all contacts',
+    ];
+
+    $historyAdded = SubscriptionHistory::get()
+      ->addSelect('*')
+      ->addWhere('group_id', '=', $group['id'])
+      ->addWhere('status', '=', 'Added')
+      ->addWhere('contact_id', '=', $contact['id'])
+      ->execute();
+    $this->assertCount(1, $historyAdded);
+
+    \CRM_Core_Config::singleton()->userPermissionClass->permissions = [];
+
+    try {
+      $historyAdded = SubscriptionHistory::get()
+        ->addSelect('*')
+        ->addWhere('group_id', '=', $group['id'])
+        ->addWhere('status', '=', 'Added')
+        ->addWhere('contact_id', '=', $contact['id'])
+        ->execute();
+      $this->assertCount(0, $historyAdded);
+    }
+    catch (UnauthorizedException $e) {
+    }
+
+  }
+
 }