array( array('onApiAuthorize', Events::W_LATE), ), ); } /** * @param \Civi\API\Event\AuthorizeEvent $event * API authorization event. * * @throws \Civi\API\Exception\UnauthorizedException */ public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) { $apiRequest = $event->getApiRequest(); if ($apiRequest['version'] < 4) { // return early unless we’re told explicitly to do the permission check if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) { $event->authorize(); $event->stopPropagation(); return; } require_once 'CRM/Core/DAO/permissions.php'; $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']); // $params might’ve been reset by the alterAPIPermissions() hook if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) { $event->authorize(); $event->stopPropagation(); return; } if (!\CRM_Core_Permission::check($permissions)) { if (is_array($permissions)) { $permissions = implode(' and ', $permissions); } // FIXME: Generating the exception ourselves allows for detailed error // but doesn't play well with multiple authz subscribers. throw new \Civi\API\Exception\UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require $permissions"); } $event->authorize(); $event->stopPropagation(); } } }