Merge pull request #16788 from civicrm/msg_template_no_id

[REF] Fixes a bug in Message Template create API where by user permissions checks were being done on system workflow messages

CRM/Core/BAO/MessageTemplate.php

@@ -87,10 +87,12 @@ public static function add(&$params) {
           }
         }
         else {
-          if (!empty($params['workflow_id']) && !CRM_Core_Permission::check('edit system workflow message templates')) {
-            throw new \Civi\API\Exception\UnauthorizedException(ts('%1', [1 => $systemWorkflowPermissionDeniedMessage]));
+          if (!empty($params['workflow_id'])) {
+            if (!CRM_Core_Permission::check('edit system workflow message templates')) {
+              throw new \Civi\API\Exception\UnauthorizedException(ts('%1', [1 => $systemWorkflowPermissionDeniedMessage]));
+            }
           }
-          if (!CRM_Core_Permission::check('edit user-driven message templates')) {
+          elseif (!CRM_Core_Permission::check('edit user-driven message templates')) {
             throw new \Civi\API\Exception\UnauthorizedException(ts('%1', [1 => $userWorkflowPermissionDeniedMessage]));
           }
         }

tests/phpunit/api/v3/MessageTemplateTest.php

@@ -103,6 +103,10 @@ public function testPermissionChecks() {
       'msg_subject' => 'test msg permission subject',
       'check_permissions' => TRUE,
     ]);
+    $newEntityParams = $entity['values'][$entity['id']];
+    unset($newEntityParams['id']);
+    $newEntityParams['check_permissions'] = TRUE;
+    $this->callAPISuccess('MessageTemplate', 'create', $newEntityParams);
     // verify with all 3 permissions someone can do everything.
     CRM_Core_Config::singleton()->userPermissionClass->permissions = [
       'edit system workflow message templates',