Civi/Api4/Event/Subscriber/PermissionCheckSubscriber.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 namespace Civi\Api4\Event\Subscriber;
  13
  14 use Civi\API\Events;
  15 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  16
  17 /**
  18  * For any API requests that correspond to a Doctrine entity
  19  * ($apiRequest['doctrineClass']), check permissions specified in
  20  * Civi\API\Annotation\Permission.
  21  */
  22 class PermissionCheckSubscriber implements EventSubscriberInterface {
  23
  24   /**
  25    * @return array
  26    */
  27   public static function getSubscribedEvents() {
  28     return [
  29       'civi.api.authorize' => [
  30         ['onApiAuthorize', Events::W_LATE],
  31       ],
  32     ];
  33   }
  34
  35   /**
  36    * @param \Civi\API\Event\AuthorizeEvent $event
  37    *   API authorization event.
  38    */
  39   public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) {
  40     /* @var \Civi\Api4\Generic\AbstractAction $apiRequest */
  41     $apiRequest = $event->getApiRequest();
  42     if ($apiRequest['version'] == 4) {
  43       if (!$apiRequest->getCheckPermissions() || $apiRequest->isAuthorized()) {
  44         $event->authorize();
  45         $event->stopPropagation();
  46       }
  47     }
  48   }
  49
  50 }