CRM-19256 4.6

CRM/Core/Permission.php

@@ -134,8 +134,12 @@ public static function check($permissions) {
         return FALSE;
       }
       else {
+        // This is an individual permission
+        $granted = CRM_Core_Config::singleton()->userPermissionClass->check($permission);
+        // Call the permission_check hook to permit dynamic escalation (CRM-19256)
+        CRM_Utils_Hook::permission_check($permission, $granted);
         if (
-          !CRM_Core_Config::singleton()->userPermissionClass->check($permission)
+          !$granted
           && !($tempPerm && $tempPerm->check($permission))
         ) {
           //one of our 'and' conditions has not been met

CRM/Utils/Hook.php

@@ -1630,6 +1630,25 @@ public static function permission(&$permissions) {
     );
   }
 
+  /**
+   * This hook is called when checking permissions; use this hook to dynamically
+   * escalate user permissions in certain use cases (cf. CRM-19256).
+   *
+   * @param string $permission
+   *   The name of an atomic permission, ie. 'access deleted contacts'
+   * @param bool $granted
+   *   Whether this permission is currently granted. The hook can change this value.
+   *
+   * @return null
+   *   The return value is ignored
+   */
+  public static function permission_check($permission, &$granted) {
+    return self::singleton()->invoke(2, $permission, $granted,
+      self::$_nullObject, self::$_nullObject, self::$_nullObject, self::$_nullObject,
+      'civicrm_permission_check'
+    );
+  }
+
   /**
    * @param CRM_Core_Exception Exception $exception
    * @param mixed $request