Support financial ACLs

[jensschuppe]

• [x] Mandates tab on contact summary
• [x] Create Mandate form
• [x] CiviSEPA reports
• [x] CiviSEPA dashboard
  • [x] contribution list
• [x] Generating SEPA groups
• [ ] Mandate repairs?
• [x] Single Mandate edit form
• [x] Action Provider Find Mandate action
• [ ] …

systopia-reference: 25698

[jensschuppe]

ab6ba399ff5b6c1f0c66abd9f4afa1f947922003 replaces manual SQL queries with API4 calls (with checkPermissions) for the Mandates tab in the contact summary, which should make the financialacls extension add clauses for allowed financial types to resulting SQL queries. This requires civicrm/civicrm-core#30877 for the Financial ACLs extension to create correct queries for JOINs.

The commit also adds a TODO for retrieving how many of the last installments have failed, which is being done with some regex in another SQL query, but does not expose unpermissioned contribution information - the query should be replaced eventually, but does no harm for now.

[jensschuppe]

The API4 SepaMandate.get action now has a dedicated action class which adds uniquely aliased joins to civicrm_contribution and civicrm_contribution_recur in order for the Financial ACLs extension to check permissions for joined entities.

The Create Mandate form uses this action for retrieving mandates to clone/replace. Also, the form only allows permissioned financial types to be selected. The API3 action SepaMandate.createfull checks the financial type parameter against those.

[jensschuppe]

The SepaTransactionGroup.get action now has a dedicated action class which adds uniquely aliased joins to SepaContributionGroup and Contribution entities in order for the Financial ACLs extension to check permissions for joined contributions.

The CiviSEPA dashboard uses the SepaTransactionGroup.get API4 action and thus does not display transaction groups with contributions of financial types the user does not have permission for. This approach shows transaction groups with contributions of mixed financial types (and only show the number of permissioned contributions) - I think this is not correct and those groups should be hidden from the user entirely instead.

[jensschuppe]

Refactored the contribution list view per CiviSEPA transaction group to use API4, effectively blocking access to groups with contributions of financial types the user does not have permissions for.

[jensschuppe]

There is a new (global) setting for whether to create transaction groups by financial types instead of by creditor/collection date/mandate type only.

Updating OOFF groups is implemented, implementation for RCUR groups is pending.

Cleanup of contributions still works the same (ensuring each contribution is in only one transaction group).

[jensschuppe]

Report queries seem to be already covered by Financial ACLs.

[jensschuppe]

I've left out issues with translation and naming for now, but they should still be taken care of …

[dontub]

I've left out issues with translation and naming for now, but they should still be taken care of …

I think at least renaming financialacls to a more appropriate name should be done before merging this.