This permission allows non-admins to use search kit.
Previously the user needed 'administer CiviCRM data' permission.
Fixes dev/core#3457
*/
public static function _checkAccess(string $entityName, string $action, array $record, int $userCID) {
// If we hit this function at all, the user is not a super-admin
- // But they must be at least a regular administrator
- if (!CRM_Core_Permission::check('administer CiviCRM data')) {
+ // But they must be at least a SearchKit administrator
+ if (!CRM_Core_Permission::check([['administer CiviCRM data', 'administer search_kit']])) {
return FALSE;
}
if (in_array($action, ['create', 'update'], TRUE)) {
* @throws \API_Exception
*/
public function _run(\Civi\Api4\Generic\Result $result) {
- // Only administrators can use this in unsecured "preview mode"
- if ((is_array($this->savedSearch) || is_array($this->display)) && $this->checkPermissions && !\CRM_Core_Permission::check('administer CiviCRM data')) {
+ // Only SearchKit admins can use this in unsecured "preview mode"
+ if (
+ (is_array($this->savedSearch) || is_array($this->display)) && $this->checkPermissions &&
+ !\CRM_Core_Permission::check([['administer CiviCRM data', 'administer search_kit']])
+ ) {
throw new UnauthorizedException('Access denied');
}
$this->loadSavedSearch();
* @throws \API_Exception
*/
public function _run(\Civi\Api4\Generic\Result $result) {
- // Only administrators can use this in unsecured "preview mode"
- if (is_array($this->savedSearch) && $this->checkPermissions && !\CRM_Core_Permission::check('administer CiviCRM data')) {
+ // Only SearchKit admins can use this in unsecured "preview mode"
+ if (
+ is_array($this->savedSearch) && $this->checkPermissions &&
+ !\CRM_Core_Permission::check([['administer CiviCRM data', 'administer search_kit']])
+ ) {
throw new UnauthorizedException('Access denied');
}
$this->loadSavedSearch();
--- /dev/null
+<?php
+/*
+ +--------------------------------------------------------------------+
+ | Copyright CiviCRM LLC. All rights reserved. |
+ | |
+ | This work is published under the GNU AGPLv3 license with some |
+ | permitted exceptions and without any warranty. For full license |
+ | and copyright information, see https://civicrm.org/licensing |
+ +--------------------------------------------------------------------+
+ */
+
+namespace Civi\Api4\Event\Subscriber;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+/**
+ * Event subscriber to check extra permission for SavedSearches
+ */
+class SearchKitSubscriber implements EventSubscriberInterface {
+
+ /**
+ * @return array
+ */
+ public static function getSubscribedEvents() {
+ return [
+ 'civi.api.authorize' => [
+ ['onApiAuthorize', -200],
+ ],
+ ];
+ }
+
+ /**
+ * Alters APIv4 permissions to allow users with 'administer search_kit' to create/delete a SavedSearch
+ *
+ * @param \Civi\API\Event\AuthorizeEvent $event
+ * API authorization event.
+ */
+ public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) {
+ /* @var \Civi\Api4\Generic\AbstractAction $apiRequest */
+ $apiRequest = $event->getApiRequest();
+ if ($apiRequest['version'] == 4 && $apiRequest->getEntityName() === 'SavedSearch') {
+ if (\CRM_Core_Permission::check('administer search_kit')) {
+ $event->authorize();
+ $event->stopPropagation();
+ }
+ }
+ }
+
+}
public static function permissions() {
$permissions = parent::permissions();
- $permissions['default'] = ['administer CiviCRM data'];
+ $permissions['default'] = [['administer CiviCRM data', 'administer search_kit']];
// Anyone with access to CiviCRM can view search displays (but not necessarily the results)
$permissions['get'] = $permissions['getDefault'] = ['access CiviCRM'];
// Anyone with access to CiviCRM can do search tasks (but not necessarily all of them)
class SearchSegment extends Generic\DAOEntity {
use \Civi\Api4\Generic\Traits\ManagedEntity;
+ public static function permissions() {
+ $permissions = parent::permissions();
+ $permissions['default'] = [['administer CiviCRM data', 'administer search_kit']];
+ return $permissions;
+ }
+
}
<?php
require_once 'search_kit.civix.php';
+use CRM_Search_ExtensionUtil as E;
/**
* Implements hook_civicrm_config().
function search_kit_civicrm_config(&$config) {
_search_kit_civix_civicrm_config($config);
Civi::dispatcher()->addListener('hook_civicrm_alterAngular', ['\Civi\Search\AfformSearchMetadataInjector', 'preprocess'], 1000);
+ Civi::dispatcher()->addSubscriber(new Civi\Api4\Event\Subscriber\SearchKitSubscriber());
}
/**
]);
}
+/**
+ * Implements hook_civicrm_permission().
+ *
+ * Define SearchKit permissions.
+ */
+function search_kit_civicrm_permission(&$permissions) {
+ $permissions['administer search_kit'] = [
+ E::ts('Search Kit: edit and delete searches'),
+ E::ts('Gives non-admin users access to the Search Kit UI to create, update and delete searches and displays'),
+ ];
+}
+
/**
* Implements hook_civicrm_alterApiRoutePermissions().
*
}
$this->assertStringContainsString('failed', $error);
- $config->userPermissionClass->permissions = ['access CiviCRM', 'administer CiviCRM data'];
+ $config->userPermissionClass->permissions = ['access CiviCRM', 'administer search_kit'];
// Admins can edit the search and the display
SavedSearch::update()->addWhere('name', '=', $searchName)
<item>
<path>civicrm/admin/search</path>
<page_callback>CRM_Search_Page_Admin</page_callback>
- <access_arguments>administer CiviCRM data</access_arguments>
+ <access_arguments>administer CiviCRM data;administer search_kit</access_arguments>
</item>
</menu>
projects / civicrm-core.git / commitdiff