Merge pull request #20769 from eileenmcnaughton/acl_test

#2115 Move financial acl code out of v3 Contribution create

api/v3/Contribution.php

@@ -15,6 +15,8 @@
  * @package CiviCRM_APIv3
  */
 
+use Civi\Api4\Contribution;
+
 /**
  * Add or update a Contribution.
  *
@@ -40,18 +42,14 @@ function civicrm_api3_contribution_create($params) {
   }
   $params['skipCleanMoney'] = TRUE;
 
-  if (!empty($params['check_permissions']) && CRM_Financial_BAO_FinancialType::isACLFinancialTypeStatus()) {
-    if (empty($params['id'])) {
-      $op = CRM_Core_Action::ADD;
-    }
-    else {
-      if (empty($params['financial_type_id'])) {
-        $params['financial_type_id'] = CRM_Core_DAO::getFieldValue('CRM_Contribute_DAO_Contribution', $params['id'], 'financial_type_id');
-      }
-      $op = CRM_Core_Action::UPDATE;
-    }
-    CRM_Financial_BAO_FinancialType::getAvailableFinancialTypes($types, $op);
-    if (!array_key_exists($params['financial_type_id'], $types)) {
+  if (!empty($params['check_permissions'])) {
+    // Check acls on this entity. Note that we pass in financial type id, if we have it
+    // since we know this is checked by acls. In v4 we do something more generic.
+    if (!Contribution::checkAccess()
+      ->setAction(empty($params['id']) ? 'create' : 'update')
+      ->addValue('id', $params['id'] ?? NULL)
+      ->addValue('financial_type_id', $params['financial_type_id'] ?? NULL)
+      ->execute()->first()['access']) {
       throw new API_Exception('You do not have permission to create this contribution');
     }
   }

ext/financialacls/financialacls.php

@@ -305,19 +305,41 @@ function _financialacls_civi_api4_authorizeContribution(\Civi\Api4\Event\Authori
   if (!financialacls_is_acl_limiting_enabled()) {
     return;
   }
-  if ($e->getActionName() === 'delete' && $e->getEntityName() === 'Contribution') {
-    $contributionID = $e->getRecord()['id'];
-    // First check contribution financial type
-    $financialType = CRM_Core_PseudoConstant::getName('CRM_Contribute_DAO_Contribution', 'financial_type_id', CRM_Core_DAO::getFieldValue('CRM_Contribute_DAO_Contribution', $contributionID, 'financial_type_id'));
-    // Now check permissioned line items & permissioned contribution
-    if (!CRM_Core_Permission::check('delete contributions of type ' . $financialType, $e->getUserID()) ||
-      !CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($contributionID, 'delete', FALSE, $e->getUserID())
-    ) {
+  if ($e->getEntityName() === 'Contribution') {
+    $contributionID = $e->getRecord()['id'] ?? NULL;
+    $financialTypeID = $e->getRecord()['financial_type_id'] ?? CRM_Core_DAO::getFieldValue('CRM_Contribute_DAO_Contribution', $contributionID, 'financial_type_id');
+    if (!CRM_Core_Permission::check(_financialacls_getRequiredPermission($financialTypeID, $e->getActionName()), $e->getUserID())) {
       $e->setAuthorized(FALSE);
     }
+    if ($e->getActionName() === 'delete') {
+      // First check contribution financial type
+      // Now check permissioned line items & permissioned contribution
+      if (!CRM_Financial_BAO_FinancialType::checkPermissionedLineItems($contributionID, 'delete', FALSE, $e->getUserID())
+      ) {
+        $e->setAuthorized(FALSE);
+      }
+    }
   }
 }
 
+/**
+ * Get the permission required to perform this action on this financial type.
+ *
+ * @param int $financialTypeID
+ * @param string $action
+ *
+ * @return string
+ */
+function _financialacls_getRequiredPermission(int $financialTypeID, string $action): string {
+  $financialType = CRM_Core_PseudoConstant::getName('CRM_Contribute_DAO_Contribution', 'financial_type_id', $financialTypeID);
+  $actionMap = [
+    'create' => 'add',
+    'update' => 'edit',
+    'delete' => 'delete',
+  ];
+  return $actionMap[$action] . ' contributions of type ' . $financialType;
+}
+
 /**
  * Remove unpermitted financial types from field Options in search context.
  *