Merge pull request #412 from systopia/ensure-admins-can-see-all-funding-cases

Allow admins to see funding cases in CiviCRM even though they have applicant permissions

Author: dontub

Civi/Funding/EventSubscriber/FundingCase/FundingCaseFilterPermissionsSubscriber.php

@@ -19,7 +19,9 @@
 
 namespace Civi\Funding\EventSubscriber\FundingCase;
 
+use Civi\Funding\Api4\Permissions;
 use Civi\Funding\Event\FundingCase\GetPermissionsEvent;
+use Civi\Funding\Permission\CiviPermissionChecker;
 use Civi\RemoteTools\RequestContext\RequestContextInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 
@@ -31,6 +33,8 @@ final class FundingCaseFilterPermissionsSubscriber implements EventSubscriberInt
     'clearing_',
   ];
 
+  private CiviPermissionChecker $permissionChecker;
+
   private RequestContextInterface $requestContext;
 
   /**
@@ -42,7 +46,8 @@ public static function getSubscribedEvents(): array {
     ];
   }
 
-  public function __construct(RequestContextInterface $requestContext) {
+  public function __construct(CiviPermissionChecker $permissionChecker, RequestContextInterface $requestContext) {
+    $this->permissionChecker = $permissionChecker;
     $this->requestContext = $requestContext;
   }
 
@@ -75,11 +80,16 @@ private function provideOnlyApplicantPermissions(GetPermissionsEvent $event): vo
   private function preventAccessIfHasApplicantPermission(GetPermissionsEvent $event): void {
     foreach ($event->getPermissions() as $permission) {
       if ($this->isApplicantPermission($permission)) {
-        $event->setPermissions([]);
+        // funding admins are still allowed to view the application.
+        $event->setPermissions($this->isFundingAdmin() ? ['view'] : []);
 
         return;
       }
     }
   }
 
+  private function isFundingAdmin(): bool {
+    return $this->permissionChecker->checkPermission(Permissions::ADMINISTER_FUNDING);
+  }
+
 }

Civi/Funding/EventSubscriber/FundingCase/FundingCasePermissionsGetAdminSubscriber.php

@@ -21,6 +21,7 @@
 
 use Civi\Funding\Api4\Permissions;
 use Civi\Funding\Event\FundingCase\GetPermissionsEvent;
+use Civi\Funding\Permission\CiviPermissionChecker;
 use Civi\RemoteTools\RequestContext\RequestContextInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 
@@ -32,6 +33,8 @@
  */
 final class FundingCasePermissionsGetAdminSubscriber implements EventSubscriberInterface {
 
+  private CiviPermissionChecker $permissionChecker;
+
   private RequestContextInterface $requestContext;
 
   /**
@@ -41,7 +44,8 @@ public static function getSubscribedEvents(): array {
     return [GetPermissionsEvent::class => 'onPermissionsGet'];
   }
 
-  public function __construct(RequestContextInterface $requestContext) {
+  public function __construct(CiviPermissionChecker $permissionChecker, RequestContextInterface $requestContext) {
+    $this->permissionChecker = $permissionChecker;
     $this->requestContext = $requestContext;
   }
 
@@ -61,7 +65,7 @@ private function isFundingAdmin(): bool {
       return PHP_SAPI === 'cli';
     }
 
-    return \CRM_Core_Permission::check(Permissions::ADMINISTER_FUNDING, $this->requestContext->getContactId());
+    return $this->permissionChecker->checkPermission(Permissions::ADMINISTER_FUNDING);
   }
 
 }

Civi/Funding/EventSubscriber/FundingProgram/FundingProgramPermissionsGetAdminSubscriber.php

@@ -21,6 +21,7 @@
 
 use Civi\Funding\Api4\Permissions;
 use Civi\Funding\Event\FundingProgram\GetPermissionsEvent;
+use Civi\Funding\Permission\CiviPermissionChecker;
 use Civi\RemoteTools\RequestContext\RequestContextInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 
@@ -32,6 +33,8 @@
  */
 final class FundingProgramPermissionsGetAdminSubscriber implements EventSubscriberInterface {
 
+  private CiviPermissionChecker $permissionChecker;
+
   private RequestContextInterface $requestContext;
 
   /**
@@ -41,7 +44,8 @@ public static function getSubscribedEvents(): array {
     return [GetPermissionsEvent::class => 'onPermissionsGet'];
   }
 
-  public function __construct(RequestContextInterface $requestContext) {
+  public function __construct(CiviPermissionChecker $permissionChecker, RequestContextInterface $requestContext) {
+    $this->permissionChecker = $permissionChecker;
     $this->requestContext = $requestContext;
   }
 
@@ -61,7 +65,7 @@ private function isFundingAdmin(): bool {
       return PHP_SAPI === 'cli';
     }
 
-    return \CRM_Core_Permission::check(Permissions::ADMINISTER_FUNDING, $this->requestContext->getContactId());
+    return $this->permissionChecker->checkPermission(Permissions::ADMINISTER_FUNDING);
   }
 
 }

Civi/Funding/Permission/CiviPermissionChecker.php

@@ -0,0 +1,41 @@
+<?php
+/*
+ * Copyright (C) 2025 SYSTOPIA GmbH
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published by
+ *  the Free Software Foundation in version 3.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+declare(strict_types = 1);
+
+namespace Civi\Funding\Permission;
+
+use Civi\RemoteTools\RequestContext\RequestContextInterface;
+
+class CiviPermissionChecker {
+
+  private RequestContextInterface $requestContext;
+
+  public function __construct(RequestContextInterface $requestContext) {
+    $this->requestContext = $requestContext;
+  }
+
+  /**
+   * @phpstan-param string|list<string|list<string>> $permissions
+   *
+   * @see \CRM_Core_Permission::check()
+   */
+  public function checkPermission($permissions, ?int $contactId = NULL): bool {
+    return \CRM_Core_Permission::check($permissions, $contactId ?? $this->requestContext->getContactId());
+  }
+
+}

services/other.php

@@ -40,6 +40,7 @@
 use Civi\Funding\ExternalFile\FundingExternalFileManagerInterface;
 use Civi\Funding\FundingAttachmentManager;
 use Civi\Funding\FundingAttachmentManagerInterface;
+use Civi\Funding\Permission\CiviPermissionChecker;
 use Civi\Funding\Util\MoneyFactory;
 use Civi\Funding\Util\UrlGenerator;
 use Civi\Funding\Validation\EntityValidator;
@@ -65,6 +66,7 @@
 $container->autowire(MoneyFactory::class);
 $container->autowire(ChangeSetFactory::class);
 $container->autowire(DaoEntityInfoProvider::class);
+$container->autowire(CiviPermissionChecker::class);
 
 $container->addCompilerPass(new ActionPropertyAutowireFixPass(), PassConfig::TYPE_BEFORE_REMOVING);
 

tests/phpunit/Civi/Funding/EventSubscriber/FundingCase/FundingCaseFilterPermissionsSubscriberTest.php

@@ -19,23 +19,32 @@
 
 namespace Civi\Funding\EventSubscriber\FundingCase;
 
+use Civi\Funding\Api4\Permissions;
 use Civi\Funding\Event\FundingCase\GetPermissionsEvent;
 use Civi\Funding\Mock\RequestContext\TestRequestContext;
+use Civi\Funding\Permission\CiviPermissionChecker;
+use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 
 /**
  * @covers \Civi\Funding\EventSubscriber\FundingCase\FundingCaseFilterPermissionsSubscriber
  */
 final class FundingCaseFilterPermissionsSubscriberTest extends TestCase {
 
+  /**
+   * @var \Civi\Funding\Permission\CiviPermissionChecker&\PHPUnit\Framework\MockObject\MockObject
+   */
+  private MockObject $permissionCheckerMock;
+
   private FundingCaseFilterPermissionsSubscriber $subscriber;
 
   private TestRequestContext $requestContext;
 
   protected function setUp(): void {
     parent::setUp();
+    $this->permissionCheckerMock = $this->createMock(CiviPermissionChecker::class);
     $this->requestContext = TestRequestContext::newInternal();
-    $this->subscriber = new FundingCaseFilterPermissionsSubscriber($this->requestContext);
+    $this->subscriber = new FundingCaseFilterPermissionsSubscriber($this->permissionCheckerMock, $this->requestContext);
   }
 
   public function testGetSubscribedEvents(): void {
@@ -59,12 +68,22 @@ public function testExcludesNonApplicantPermissionsRemoteRequest(): void {
   }
 
   public function testPreventAccessInternalRequest(): void {
-    $event = $this->createEvent(['application_foo', 'review_bar']);
+    $event = $this->createEvent(['application_foo', 'review_bar', 'view']);
 
     $this->subscriber->onPermissionsGet($event);
     static::assertSame([], $event->getPermissions());
   }
 
+  public function testFundingAdminCanViewCasesWithApplicantPermissions(): void {
+    $event = $this->createEvent(['application_foo', 'review_bar', 'view']);
+    $this->permissionCheckerMock->method('checkPermission')
+      ->with(Permissions::ADMINISTER_FUNDING)
+      ->willReturn(TRUE);
+
+    $this->subscriber->onPermissionsGet($event);
+    static::assertSame(['view'], $event->getPermissions());
+  }
+
   public function testInternalRequest(): void {
     $event = $this->createEvent(['review_bar']);