SearchKit - Fix permission to access default display and download spreadsheets

Intentionally setting these gatekeeper permissions fairly open as all of these actions
perform stricter permission checks internally.

diff --git a/ext/search_kit/Civi/Api4/SearchDisplay.php b/ext/search_kit/Civi/Api4/SearchDisplay.php
index 252786c3f9e49db8a3c2d6a7c66831cb7281c62e..8ab71220e81be8b397e212b999fa53291b0b63ca 100644 (file)
--- a/ext/search_kit/Civi/Api4/SearchDisplay.php
+++ b/ext/search_kit/Civi/Api4/SearchDisplay.php
@@ -52,10 +52,12 @@ class SearchDisplay extends Generic\DAOEntity {
   public static function permissions() {
     $permissions = parent::permissions();
     $permissions['default'] = ['administer CiviCRM data'];
-    $permissions['get'] = ['access CiviCRM'];
+    // Anyone with access to CiviCRM can view search displays (but not necessarily the results)
+    $permissions['get'] = $permissions['getDefault'] = ['access CiviCRM'];
+    // Anyone with access to CiviCRM can do search tasks (but not necessarily all of them)
     $permissions['getSearchTasks'] = ['access CiviCRM'];
-    // Permission for run action is checked internally
-    $permissions['run'] = [];
+    // Permission to run or download search results is checked internally
+    $permissions['run'] = $permissions['download'] = [];
     return $permissions;
   }