3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
12 namespace Civi\API\Subscriber
;
15 use Symfony\Component\EventDispatcher\EventSubscriberInterface
;
18 * For any API requests that correspond to a Doctrine entity
19 * ($apiRequest['doctrineClass']), check permissions specified in
20 * Civi\API\Annotation\Permission.
22 class PermissionCheck
implements EventSubscriberInterface
{
27 public static function getSubscribedEvents() {
29 Events
::AUTHORIZE
=> [
30 ['onApiAuthorize', Events
::W_LATE
],
36 * @param \Civi\API\Event\AuthorizeEvent $event
37 * API authorization event.
39 * @throws \Civi\API\Exception\UnauthorizedException
41 public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent
$event) {
42 $apiRequest = $event->getApiRequest();
43 if ($apiRequest['version'] < 4) {
44 // return early unless we’re told explicitly to do the permission check
45 if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) {
47 $event->stopPropagation();
51 require_once 'CRM/Core/DAO/permissions.php';
52 $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']);
54 // $params might’ve been reset by the alterAPIPermissions() hook
55 if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) {
57 $event->stopPropagation();
61 if (!\CRM_Core_Permission
::check($permissions) and !self
::checkACLPermission($apiRequest)) {
62 if (is_array($permissions)) {
63 foreach ($permissions as &$permission) {
64 if (is_array($permission)) {
65 $permission = '( ' . implode(' or ', $permission) . ' )';
68 $permissions = implode(' and ', $permissions);
70 // FIXME: Generating the exception ourselves allows for detailed error
71 // but doesn't play well with multiple authz subscribers.
72 throw new \Civi\API\Exception\
UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions");
76 $event->stopPropagation();
78 elseif ($apiRequest['version'] == 4) {
79 if (!$apiRequest->getCheckPermissions()) {
81 $event->stopPropagation();
87 * Check API for ACL permission.
89 * @param array $apiRequest
93 public function checkACLPermission($apiRequest) {
94 switch ($apiRequest['entity']) {
97 $ufGroups = \CRM_Core_PseudoConstant
::get('CRM_Core_DAO_UFField', 'uf_group_id');
98 $aclCreate = \CRM_ACL_API
::group(\CRM_Core_Permission
::CREATE
, NULL, 'civicrm_uf_group', $ufGroups);
99 $aclEdit = \CRM_ACL_API
::group(\CRM_Core_Permission
::EDIT
, NULL, 'civicrm_uf_group', $ufGroups);
100 $ufGroupId = $apiRequest['entity'] == 'UFGroup' ?
$apiRequest['params']['id'] : $apiRequest['params']['uf_group_id'];
101 if (in_array($ufGroupId, $aclEdit) or $aclCreate) {
106 //CRM-16777: Disable schedule reminder with ACLs.
107 case 'ActionSchedule':
108 $events = \CRM_Event_BAO_Event
::getEvents();
109 $aclEdit = \CRM_ACL_API
::group(\CRM_Core_Permission
::EDIT
, NULL, 'civicrm_event', $events);
110 $param = ['id' => $apiRequest['params']['id']];
111 $eventId = \CRM_Core_BAO_ActionSchedule
::retrieve($param, $value = []);
112 if (in_array($eventId->entity_value
, $aclEdit)) {