From: Seamus Lee <seamuslee001@gmail.com>
Date: Wed, 20 Nov 2019 03:14:16 +0000 (+1100)
Subject: Ensure that APIv4 Properly filters out permissable fields when no permission to view... 
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=7b51867f320af157b6b3510e909c50abb088fdb4;p=civicrm-core.git

Ensure that APIv4 Properly filters out permissable fields when no permission to view field exists
---

diff --git a/Civi/Api4/Query/Api4SelectQuery.php b/Civi/Api4/Query/Api4SelectQuery.php
index f7026ba349..35f6fd8080 100644
--- a/Civi/Api4/Query/Api4SelectQuery.php
+++ b/Civi/Api4/Query/Api4SelectQuery.php
@@ -375,7 +375,10 @@ class Api4SelectQuery extends SelectQuery {
     if ($lastLink instanceof CustomGroupJoinable) {
       $field = $lastLink->getSqlColumn($field);
     }
-
+    // Check Permission on field.
+    if ($this->checkPermissions && !empty($this->apiFieldSpec[$prefix . $field]['permission']) && !\CRM_Core_Permission::check($this->apiFieldSpec[$prefix . $field]['permission'])) {
+      return;
+    }
     $this->fkSelectAliases[$key] = sprintf('%s.%s', $lastLink->getAlias(), $field);
   }
 
diff --git a/Civi/Api4/Service/Spec/FieldSpec.php b/Civi/Api4/Service/Spec/FieldSpec.php
index 7a44a1d925..c44d58678d 100644
--- a/Civi/Api4/Service/Spec/FieldSpec.php
+++ b/Civi/Api4/Service/Spec/FieldSpec.php
@@ -76,7 +76,7 @@ class FieldSpec {
   protected $requiredIf;
 
   /**
-   * @var array|boolean
+   * @var array|bool
    */
   protected $options;
 
@@ -105,6 +105,11 @@ class FieldSpec {
    */
   protected $serialize;
 
+  /**
+   * @var array
+   */
+  protected $permission;
+
   /**
    * Aliases for the valid data types
    *
@@ -286,6 +291,22 @@ class FieldSpec {
     return $this;
   }
 
+  /**
+   * @param array $permission
+   * @return $this
+   */
+  public function setPermission($permission) {
+    $this->permission = $permission;
+    return $this;
+  }
+
+  /**
+   * @return array
+   */
+  public function getPermission() {
+    return $this->permission;
+  }
+
   /**
    * @return string
    */
diff --git a/Civi/Api4/Service/Spec/SpecFormatter.php b/Civi/Api4/Service/Spec/SpecFormatter.php
index b1c1c804e3..f44e267c7a 100644
--- a/Civi/Api4/Service/Spec/SpecFormatter.php
+++ b/Civi/Api4/Service/Spec/SpecFormatter.php
@@ -100,6 +100,7 @@ class SpecFormatter {
     $field->setDescription(ArrayHelper::value('description', $data));
     self::setInputTypeAndAttrs($field, $data, $dataTypeName);
 
+    $field->setPermission(ArrayHelper::value('permission', $data));
     $fkAPIName = ArrayHelper::value('FKApiName', $data);
     $fkClassName = ArrayHelper::value('FKClassName', $data);
     if ($fkAPIName || $fkClassName) {