dev/core#4184 Fix Import over-authorization

diff --git a/ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php b/ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php
index 4ee6bbbe5efebce08da75021de2ae05ac6622f02..0eade33f0db9217dcdcef70e95fd19ae286c0cf2 100644 (file)
--- a/ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php
+++ b/ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php
@@ -104,7 +104,7 @@ class ImportSubscriber extends AutoService implements EventSubscriberInterface {
   public function onApiAuthorize(AuthorizeEvent $event): void {
     $apiRequest = $event->getApiRequest();
     $entity = $apiRequest['entity'];
-    if (strpos($entity, 'Import_') === 0) {
+    if (strpos($entity, 'Import_') === 0 && !in_array($event->getActionName(), ['getFields', 'getActions', 'checkAccess'], TRUE)) {
       $userJobID = (int) (str_replace('Import_', '', $entity));
       if (!UserJob::get(TRUE)->addWhere('id', '=', $userJobID)->selectRowCount()->execute()->count()) {
         throw new UnauthorizedException('Import access not permitted');