Merge pull request #28451 from wmortada/standalone-protected-roles

Standalone - Protect admin and everyone roles
civicrm · Dec 3, 2023 · ec3684f · ec3684f
2 parents c6f5e7d + 7fbee0d
commit ec3684f
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/ext/standaloneusers/CRM/Standaloneusers/BAO/Role.php b/ext/standaloneusers/CRM/Standaloneusers/BAO/Role.php
@@ -14,4 +14,25 @@ public static function self_hook_civicrm_post(\Civi\Core\Event\PostEvent $event)
     Civi::cache('metadata')->clear();
   }
 
+  /**
+   * Check access permission
+   *
+   * @param string $entityName
+   * @param string $action
+   * @param array $record
+   * @param integer|null $userID
+   * @return boolean
+   * @see CRM_Core_DAO::checkAccess
+   */
+  public static function _checkAccess(string $entityName, string $action, array $record, ?int $userID): bool {
+    // Prevent users from updating or deleting the admin and everyone roles
+    if (in_array($action, ['delete', 'update'], TRUE)) {
+      $name = $record['name'] ?? CRM_Core_DAO::getFieldValue(self::class, $record['id']);
+      if (in_array($name, ['admin', 'everyone'], TRUE)) {
+        return FALSE;
+      }
+    }
+    return TRUE;
+  }
+
 }