0012680: CRM can't store leads
authorPhilipp Schüle <p.schuele@metaways.de>
Thu, 1 Jun 2017 07:10:06 +0000 (09:10 +0200)
committerPhilipp Schüle <p.schuele@metaways.de>
Fri, 2 Jun 2017 07:33:20 +0000 (09:33 +0200)
* prevent update of related record if user has
 no edit grant for related record container
 (like internal contacts)

https://forge.tine20.org/view.php?id=12680

Change-Id: I5b2a153efda0ffa8fa7bec2069d72ebc9f761af1
Reviewed-on: http://gerrit.tine20.com/customers/4794
Tested-by: Jenkins CI (http://ci.tine20.com/)
Reviewed-by: Philipp Schüle <p.schuele@metaways.de>
tests/tine20/Crm/JsonTest.php
tine20/Tinebase/Relations.php

index 24cfe87..e59d8e6 100644 (file)
@@ -4,7 +4,7 @@
  * 
  * @package     Crm
  * @license     http://www.gnu.org/licenses/agpl.html
- * @copyright   Copyright (c) 2008-2016 Metaways Infosystems GmbH (http://www.metaways.de)
+ * @copyright   Copyright (c) 2008-2017 Metaways Infosystems GmbH (http://www.metaways.de)
  * @author      Philipp Schüle <p.schuele@metaways.de>
  * 
  */
@@ -793,4 +793,23 @@ class Crm_JsonTest extends Crm_AbstractTest
         $searchLeads = $this->_getUit()->searchLeads($filter, '');
         $this->assertEquals(1, $searchLeads['totalcount']);
     }
+
+    /**
+     * @see 0012680: CRM can't store leads
+     * @throws Tinebase_Exception_InvalidArgument
+     */
+    public function testCreateLeadWithoutPermissionToInternalContacts()
+    {
+        // switch to jsmith
+        Tinebase_Core::set(Tinebase_Core::USER, $this->_personas['jsmith']);
+        $scleverContact = Addressbook_Controller_Contact::getInstance()->get($this->_personas['sclever']->contact_id);
+        $lead = $this->_getLead();
+        $leadData = $lead->toArray();
+        $leadData['relations'] = array(
+            array('type'  => 'PARTNER', 'related_record' => $scleverContact->toArray()),
+        );
+        $newLead = $this->_getUit()->saveLead($leadData);
+
+        self::assertEquals(1, count($newLead['relations']), 'two relations expected');
+    }
 }
index b74b04c..4bff155 100644 (file)
@@ -487,9 +487,9 @@ class Tinebase_Relations
                 . ' Relation: ' . print_r($_relation->toArray(), TRUE));
             throw new Tinebase_Exception_UnexpectedValue('Related record is missing from relation.');
         }
-        
+
         $appController = Tinebase_Core::getApplicationInstance($_relation->related_model);
-        
+
         if (! $_relation->related_record->getId()) {
             $method = 'create';
         } else {
@@ -501,9 +501,17 @@ class Tinebase_Relations
         if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__
             . ' Relation: ' . print_r($_relation->toArray(), TRUE));
 
-        $record = $appController->$method($_relation->related_record, $_doCreateUpdateCheck && $this->_doCreateUpdateCheck($_relation));
-        $_relation->related_id = $record->getId();
-        
+        if ($method === 'update' && $appController->doContainerACLChecks()
+            && ! Tinebase_Core::getUser()->hasGrant($_relation->related_record->container_id, Tinebase_Model_Grants::GRANT_EDIT)
+        ) {
+            if (Tinebase_Core::isLogLevel(Zend_Log::NOTICE)) Tinebase_Core::getLogger()->notice(__METHOD__ . '::' . __LINE__
+                . ' Don\'t update related record because user has no update grant');
+        } else {
+            $record = $appController->$method($_relation->related_record,
+                $_doCreateUpdateCheck && $this->_doCreateUpdateCheck($_relation));
+            $_relation->related_id = $record->getId();
+        }
+
         switch ($_relation->related_model) {
             case 'Addressbook_Model_Contact':
                 $_relation->related_backend = ucfirst(Addressbook_Backend_Factory::SQL);