Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.2.6
-
Fix Version/s: 4.2.7
-
Component/s: None
-
Labels:None
Description
If check_permissions is used the flag should be passed down to chained calls. This is a security fix
Note that this fix results in a hard error if chaining is attempted that is not allowed. It might be arguable that only the chained api should 'bounce' but my suspicion is that there is unlikely to be anyone purposely chaining with 'check_permission' set & this shouldn't break existing code.
function testContactGetPledgeNotChainable()
{ $this->hookClass->setHook('civicrm_aclWhereClause', array($this, 'aclWhereOnlySecond')); $fullresult = civicrm_api('contact', 'get', array( 'version' => $this->_apiversion, 'sequential' => 1, )); $result = civicrm_api('contact', 'get', array( 'version' => $this->_apiversion, 'check_permissions' => 1, 'api.pledge.get' => 1, 'sequential' => 1, )); $this->assertEquals('Error in call to pledge_get : API permission check failed for pledge/get call; missing permission: access CiviCRM.', $result); }