APIv4 - Fix resolving pseudoconstants for less-permissioned users

Fixes dev/core#3750

diff --git a/Civi/Api4/Utils/FormattingUtil.php b/Civi/Api4/Utils/FormattingUtil.php
index da1129ad4fa606350e9c0c14d836729cc9f607ec..efacccb3de3ee905d0d262f04dced2e3d89a188c 100644 (file)
--- a/Civi/Api4/Utils/FormattingUtil.php
+++ b/Civi/Api4/Utils/FormattingUtil.php
@@ -265,7 +265,7 @@ class FormattingUtil {
     }
     // Fallback for option lists that exist in the api but not the BAO
     if (!isset($options) || $options === FALSE) {
-      $options = civicrm_api4($field['entity'], 'getFields', ['action' => $action, 'loadOptions' => ['id', $valueType], 'where' => [['name', '=', $field['name']]]])[0]['options'] ?? NULL;
+      $options = civicrm_api4($field['entity'], 'getFields', ['checkPermissions' => FALSE, 'action' => $action, 'loadOptions' => ['id', $valueType], 'where' => [['name', '=', $field['name']]]])[0]['options'] ?? NULL;
       $options = $options ? array_column($options, $valueType, 'id') : $options;
     }
     if (is_array($options)) {

diff --git a/tests/phpunit/api/v4/Entity/TagTest.php b/tests/phpunit/api/v4/Entity/TagTest.php
index 7aed01ce713ab1c1d1d75ca241d86c94db10efe3..60640106d0d5ffc15d1c0314fe858e8a841bf6f3 100644 (file)
--- a/tests/phpunit/api/v4/Entity/TagTest.php
+++ b/tests/phpunit/api/v4/Entity/TagTest.php
@@ -30,6 +30,10 @@ use Civi\Test\TransactionalInterface;
 class TagTest extends Api4TestBase implements TransactionalInterface {
 
   public function testTagFilter() {
+    // Ensure bypassing permissions works correctly by giving none to the logged-in user
+    $this->createLoggedInUser();
+    \CRM_Core_Config::singleton()->userPermissionClass->permissions = [];
+
     $conTag = Tag::create(FALSE)
       ->addValue('name', uniqid('con'))
       ->addValue('used_for', 'civicrm_contact')