Respect ACL for multi-value custom field

CRM/ACL/BAO/ACL.php

@@ -852,7 +852,7 @@ public static function group(
       $aclKeys = array_keys($acls);
       $aclKeys = implode(',', $aclKeys);
 
-      $cacheKey = CRM_Utils_Cache::cleanKey("$tableName-$aclKeys");
+      $cacheKey = CRM_Utils_Cache::cleanKey("{$tableName}-{$type}-{$aclKeys}");
       $cache = CRM_Utils_Cache::singleton();
       $ids = $cache->get($cacheKey);
       if (!$ids) {

CRM/Contact/Form/CustomData.php

@@ -125,6 +125,14 @@ public function preProcess() {
         $this->_groupID = CRM_Utils_Request::retrieve('groupID', 'Positive', $this);
         $this->_tableID = $this->_entityId;
         $this->_contactType = CRM_Contact_BAO_Contact::getContactType($this->_tableID);
+
+        // check if the user has permission to edit the custom data for the contact.
+        if (!CRM_Core_BAO_CustomGroup::isCustomGroupAllowed(
+          $this->_groupID, $entityId, CRM_Core_Permission::EDIT
+        )) {
+          CRM_Core_Error::statusBounce(ts('You do not have the necessary permission to add/edit this contact\'s custom data.'));
+        }
+
         $mode = CRM_Utils_Request::retrieve('mode', 'String', $this);
         $hasReachedMax = CRM_Core_BAO_CustomGroup::hasReachedMaxLimit($this->_groupID, $this->_tableID);
         if ($hasReachedMax && $mode == 'add') {

CRM/Contact/Page/AJAX.php

@@ -310,6 +310,11 @@ public static function deleteCustomValue() {
     $customValueID = CRM_Utils_Type::escape($_REQUEST['valueID'], 'Positive');
     $customGroupID = CRM_Utils_Type::escape($_REQUEST['groupID'], 'Positive');
     $contactId = CRM_Utils_Request::retrieve('contactId', 'Positive');
+    if (!CRM_Core_BAO_CustomGroup::isCustomGroupAllowed(
+      $customGroupID, $contactId, CRM_Core_Permission::EDIT
+    )) {
+      CRM_Utils_System::permissionDenied();
+    }
     CRM_Core_BAO_CustomValue::deleteCustomValue($customValueID, $customGroupID);
     if ($contactId) {
       echo CRM_Contact_BAO_Contact::getCountComponent('custom_' . $customGroupID, $contactId);

CRM/Core/BAO/CustomField.php

@@ -314,6 +314,7 @@ public function getOptions($context = NULL) {
    *   Return only custom data for subtype.
    * @param bool $checkPermission
    *   If false, do not include permissioning clause.
+   * @param int $permissionType
    *
    * @return array
    *   an array of active custom fields.
@@ -326,7 +327,8 @@ public static function &getFields(
     $customDataSubName = NULL,
     $onlyParent = FALSE,
     $onlySubType = FALSE,
-    $checkPermission = TRUE
+    $checkPermission = TRUE,
+    $permissionType = CRM_Core_Permission::VIEW
   ) {
     if (empty($customDataType)) {
       $customDataType = array('Contact', 'Individual', 'Organization', 'Household');
@@ -375,7 +377,7 @@ public static function &getFields(
 
     // also get the permission stuff here
     if ($checkPermission) {
-      $permissionClause = CRM_Core_Permission::customGroupClause(CRM_Core_Permission::VIEW,
+      $permissionClause = CRM_Core_Permission::customGroupClause($permissionType,
         "{$cgTable}."
       );
     }
@@ -486,7 +488,7 @@ public static function &getFields(
 
         // also get the permission stuff here
         if ($checkPermission) {
-          $permissionClause = CRM_Core_Permission::customGroupClause(CRM_Core_Permission::VIEW,
+          $permissionClause = CRM_Core_Permission::customGroupClause($permissionType,
             "{$cgTable}.", TRUE
           );
         }
@@ -563,8 +565,8 @@ public static function &getFields(
    *   When called from search and multiple records need to be returned.
    * @param bool $checkPermission
    *   If false, do not include permissioning clause.
-   *
    * @param bool $withMultiple
+   * @param int $permissionType
    *
    * @return array
    */
@@ -574,7 +576,8 @@ public static function getFieldsForImport(
     $onlyParent = FALSE,
     $search = FALSE,
     $checkPermission = TRUE,
-    $withMultiple = FALSE
+    $withMultiple = FALSE,
+    $permissionType = CRM_Core_Permission::VIEW
   ) {
     // Note: there are situations when we want getFieldsForImport() return fields related
     // ONLY to basic contact types, but NOT subtypes. And thats where $onlyParent is helpful
@@ -585,7 +588,8 @@ public static function getFieldsForImport(
       NULL,
       $onlyParent,
       FALSE,
-      $checkPermission
+      $checkPermission,
+      $permissionType
     );
 
     $importableFields = [];

CRM/Core/BAO/CustomGroup.php

@@ -2233,4 +2233,23 @@ private static function buildGroupTree($entityType, $toReturn, $subTypes, $query
     return [$multipleFieldGroups, $groupTree];
   }
 
+  /**
+   * Check if user has permission for CRUD operation on custom data.
+   *
+   * @param int $customGroupId
+   * @param int $contactId
+   * @param int $permissionType
+   *
+   * @return bool
+   */
+  public static function isCustomGroupAllowed($customGroupId, $contactId, $permissionType) {
+    if (CRM_Contact_BAO_Contact_Permission::allow($contactId, CRM_Core_Permission::EDIT)
+      && $customGroupId && in_array($customGroupId,
+      CRM_Core_Permission::customGroup($permissionType)
+    )) {
+      return TRUE;
+    }
+    return FALSE;
+  }
+
 }

CRM/Core/BAO/UFGroup.php

@@ -736,14 +736,19 @@ public static function getLocationFields() {
   }
 
   /**
-   * @param $ctype
+   * @param string $ctype
+   * @param int $permissionType
    *
    * @return mixed
    */
-  protected static function getCustomFields($ctype) {
+  protected static function getCustomFields($ctype, $permissionType = CRM_Core_Permission::VIEW) {
     static $customFieldCache = [];
     if (!isset($customFieldCache[$ctype])) {
-      $customFields = CRM_Core_BAO_CustomField::getFieldsForImport($ctype, FALSE, FALSE, FALSE, TRUE, TRUE);
+      // Only Edit and View is supported in ACL for custom field.
+      if ($permissionType == CRM_Core_Permission::CREATE) {
+        $permissionType = CRM_Core_Permission::EDIT;
+      }
+      $customFields = CRM_Core_BAO_CustomField::getFieldsForImport($ctype, FALSE, FALSE, FALSE, TRUE, TRUE, $permissionType);
 
       // hack to add custom data for components
       $components = ['Contribution', 'Participant', 'Membership', 'Activity', 'Case'];

CRM/Profile/Page/MultipleRecordFieldsListing.php

@@ -260,6 +260,12 @@ public function browse() {
     }
 
     if (!empty($fieldIDs) && $this->_contactId) {
+      // Do not show Edit, Delete, Copy options if user don't have permission.
+      if (!CRM_Core_BAO_CustomGroup::isCustomGroupAllowed(
+        $customGroupId, $this->_contactId, CRM_Core_Permission::EDIT
+      )) {
+        $linkAction -= (CRM_Core_Action::COPY + CRM_Core_Action::UPDATE + CRM_Core_Action::DELETE);
+      }
       $DTparams = !empty($this->_DTparams) ? $this->_DTparams : NULL;
       // commonly used for both views i.e profile listing view (profileDataView) and custom data listing view (customDataView)
       $result = CRM_Core_BAO_CustomValueTable::getEntityValues($this->_contactId, NULL, $fieldIDs, TRUE, $DTparams);
@@ -449,6 +455,13 @@ public function browse() {
         }
       }
     }
+
+    if (CRM_Core_BAO_CustomGroup::isCustomGroupAllowed(
+      $customGroupId, $this->_contactId, CRM_Core_Permission::EDIT
+    )) {
+      $this->assign('showAddButton', TRUE);
+    }
+
     $this->assign('dateFields', $dateFields);
     $this->assign('dateFieldsVals', $dateFieldsVals);
     $this->assign('cgcount', $cgcount);

templates/CRM/Profile/Page/MultipleRecordFieldsListing.tpl

@@ -114,7 +114,7 @@
     <div id='{$dialogId}' class="hiddenElement"></div>
   {/if}
 
-  {if !$reachedMax}
+  {if !$reachedMax && $showAddButton}
     <div class="action-link">
       {if $pageViewType eq 'customDataView'}
         <br/><a accesskey="N" title="{ts 1=$customGroupTitle}Add %1 Record{/ts}" href="{crmURL p='civicrm/contact/view/cd/edit' q="reset=1&type=$ctype&groupID=$customGroupId&entityID=$contactId&cgcount=$newCgCount&multiRecordDisplay=single&mode=add"}"