Civi/Api4/Event/Subscriber/PermissionCheckSubscriber.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.7                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2017                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26  */
  27
  28 namespace Civi\Api4\Event\Subscriber;
  29
  30 use Civi\API\Events;
  31 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  32
  33 /**
  34  * For any API requests that correspond to a Doctrine entity
  35  * ($apiRequest['doctrineClass']), check permissions specified in
  36  * Civi\API\Annotation\Permission.
  37  */
  38 class PermissionCheckSubscriber implements EventSubscriberInterface {
  39
  40   /**
  41    * @return array
  42    */
  43   public static function getSubscribedEvents() {
  44     return [
  45       Events::AUTHORIZE => [
  46         ['onApiAuthorize', Events::W_LATE],
  47       ],
  48     ];
  49   }
  50
  51   /**
  52    * @param \Civi\API\Event\AuthorizeEvent $event
  53    *   API authorization event.
  54    */
  55   public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) {
  56     /* @var \Civi\Api4\Generic\AbstractAction $apiRequest */
  57     $apiRequest = $event->getApiRequest();
  58     if ($apiRequest['version'] == 4) {
  59       if (!$apiRequest->getCheckPermissions() || $apiRequest->isAuthorized()) {
  60         $event->authorize();
  61         $event->stopPropagation();
  62       }
  63     }
  64   }
  65
  66 }