Parse activities against permission to view target contact

24cfc3e2 · Christian Wach · f9f63773 · 24cfc3e2
Commit 24cfc3e2 authored Sep 10, 2019 by Christian Wach ⚽
--- a/CRM/CallNextDashlet/Page/CallNextDashlet.php
+++ b/CRM/CallNextDashlet/Page/CallNextDashlet.php
@@ -148,7 +148,7 @@ class CRM_CallNextDashlet_Page_CallNextDashlet extends CRM_Core_Page {
   *
   * @return array|bool $contacts Array of contact data, or false on failure.
   */
-  public function get_contacts() {
+  public static function get_contacts() {

    try {

@@ -226,7 +226,10 @@ class CRM_CallNextDashlet_Page_CallNextDashlet extends CRM_Core_Page {
    }
    foreach($activities_none['values'] AS $activity) {
      if (empty($activity['assignee_contact_id'])) {
-        $activities[] = $activity;
+        $contactID = array_shift($activity['target_contact_id']);
+        if (self::can_view_contact($contactID)) {
+          $activities[] = $activity;
+        }
      }
    }

@@ -249,4 +252,45 @@ class CRM_CallNextDashlet_Page_CallNextDashlet extends CRM_Core_Page {

  }

+  /**
+   * Check if a Contact can be viewed by the current User.
+   *
+   * @since 1.0
+   *
+   * @param int $contactID The numeric ID of the Contact.
+   * @return bool True if the current User can view the Contact.
+   */
+  public static function can_view_contact( $contactID ) {
+
+    // automatically grant permissin for users on their own record. makes
+    // things easier in dashboard
+    $session = CRM_Core_Session::singleton();
+
+    // Allow if it's me and I have the permission.
+    if ($session->get('userID') == $contactID AND CRM_Core_Permission::check('edit my contact')) {
+      return TRUE;
+    }
+
+    // Allow if it's a deleted Contact and I have the permission.
+    elseif (CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $contactID, 'is_deleted') AND CRM_Core_Permission::check('access deleted contacts')) {
+      return TRUE;
+    }
+
+    // Allow if it's a Contact I can edit.
+    elseif (CRM_Contact_BAO_Contact_Permission::allow($contactID, CRM_Core_Permission::EDIT)) {
+      return TRUE;
+    }
+
+    // Allow if it's a Contact I can view.
+    elseif (CRM_Contact_BAO_Contact_Permission::allow($contactID, CRM_Core_Permission::VIEW)) {
+      return TRUE;
+    }
+
+    // Disallow in all other cases.
+    else {
+      return FALSE;
+    }
+
+  }
+
 }