try {
if (!isset($this->_actions[$actionName]) && (!$this->_actionsToGet || in_array($actionName, $this->_actionsToGet))) {
$action = \Civi\API\Request::create($this->getEntityName(), $actionName, ['version' => 4]);
- if (is_object($action) && (!$this->checkPermissions || $action->isAuthorized())) {
+ if (is_object($action) && (!$this->checkPermissions || $action->isAuthorized(\CRM_Core_Session::singleton()->getLoggedInContactID()))) {
$this->_actions[$actionName] = ['name' => $actionName];
if ($this->_isFieldSelected('description', 'comment', 'see')) {
$vars = ['entity' => $this->getEntityName(), 'action' => $actionName];
*
* This function is called if checkPermissions is set to true.
*
+ * @param int|null $userID
+ * Contact ID of the user we are testing, or NULL for the default/active user.
* @return bool
*/
- public function isAuthorized() {
+ public function isAuthorized(?int $userID): bool {
$permissions = $this->getPermissions();
- return \CRM_Core_Permission::check($permissions);
+ return \CRM_Core_Permission::check($permissions, $userID);
}
/**
* @param string $entityName
* @param string $actionName
* @param array $record
+ * @param int|null $userID
+ * Contact ID of the user we are testing, or NULL for the default/active user.
* @return bool
* @throws \API_Exception
* @throws \CRM_Core_Exception
* @throws \Civi\API\Exception\NotImplementedException
* @throws \Civi\API\Exception\UnauthorizedException
*/
- public static function checkAccess(string $entityName, string $actionName, array $record) {
+ public static function checkAccess(string $entityName, string $actionName, array $record, $userID = NULL) {
$action = Request::create($entityName, $actionName, ['version' => 4]);
// This checks gatekeeper permissions
- $granted = $action->isAuthorized();
+ $granted = $action->isAuthorized($userID);
// For get actions, just run a get and ACLs will be applied to the query.
// It's a cheap trick and not as efficient as not running the query at all,
// but BAO::checkAccess doesn't consistently check permissions for the "get" action.
$baoName = self::getBAOFromApiName($entityName);
// CustomValue also requires the name of the group
if ($baoName === 'CRM_Core_BAO_CustomValue') {
- $granted = \CRM_Core_BAO_CustomValue::checkAccess($actionName, $record, NULL, $granted, substr($entityName, 7));
+ $granted = \CRM_Core_BAO_CustomValue::checkAccess($actionName, $record, $userID, $granted, substr($entityName, 7));
}
elseif ($baoName) {
- $granted = $baoName::checkAccess($actionName, $record, NULL, $granted);
+ $granted = $baoName::checkAccess($actionName, $record, $userID, $granted);
}
// Otherwise, call the hook directly
else {
- \CRM_Utils_Hook::checkAccess($entityName, $actionName, $record, NULL, $granted);
+ \CRM_Utils_Hook::checkAccess($entityName, $actionName, $record, $userID, $granted);
}
}
return $granted;
trait OnlyModifyOwnTokensTrait {
- public function isAuthorized(): bool {
- if (\CRM_Core_Permission::check(['manage all OAuth contact tokens'])) {
+ public function isAuthorized(?int $loggedInContactID): bool {
+ if (\CRM_Core_Permission::check(['manage all OAuth contact tokens'], $loggedInContactID)) {
return TRUE;
}
- if (!\CRM_Core_Permission::check(['manage my OAuth contact tokens'])) {
+ if (!\CRM_Core_Permission::check(['manage my OAuth contact tokens'], $loggedInContactID)) {
return FALSE;
}
- $loggedInContactID = \CRM_Core_Session::singleton()->getLoggedInContactID();
foreach ($this->where as $clause) {
[$field, $op, $val] = $clause;
if ($field !== 'contact_id') {