From: Coleman Watts <coleman@civicrm.org>
Date: Fri, 5 Aug 2022 13:55:03 +0000 (-0400)
Subject: SearchKit - Fix viewing search display for anonymous user
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=7f3fa1c3162bb6b18a62c124f1235772ebb693f1;p=civicrm-core.git

SearchKit - Fix viewing search display for anonymous user

This regressed in aa5d068b84f7ccd6370dd94339ecdc82c052a2c1 when the single SearchDisplay::run api call
was replacd with an array of calls. The hack in alterApiRoutePermissions can't handle multiple calls.
This updates it so that it can handle an array of calls - it will call the hook for each one and
reject the request if any of them lack permission.
---

diff --git a/CRM/Api4/Permission.php b/CRM/Api4/Permission.php
index c179ad57c0..fa8d0ecca0 100644
--- a/CRM/Api4/Permission.php
+++ b/CRM/Api4/Permission.php
@@ -22,17 +22,29 @@
 class CRM_Api4_Permission {
 
   public static function check() {
-    $config = CRM_Core_Config::singleton();
-    $urlPath = explode('/', $_GET[$config->userFrameworkURLVar]);
-    $permissions = [
+    $urlPath = explode('/', CRM_Utils_System::currentPath());
+    $defaultPermissions = [
       ['access CiviCRM', 'access AJAX API'],
     ];
     if (!empty($urlPath[3])) {
       $entity = $urlPath[3];
       $action = $urlPath[4];
+      $permissions = $defaultPermissions;
       CRM_Utils_Hook::alterApiRoutePermissions($permissions, $entity, $action);
+      return CRM_Core_Permission::check($permissions);
+    }
+    else {
+      $calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST');
+      $calls = json_decode($calls, TRUE);
+      foreach ($calls as $call) {
+        $permissions = $defaultPermissions;
+        CRM_Utils_Hook::alterApiRoutePermissions($permissions, $call[0], $call[1]);
+        if (!CRM_Core_Permission::check($permissions)) {
+          return FALSE;
+        }
+      }
+      return TRUE;
     }
-    return CRM_Core_Permission::check($permissions);
   }
 
 }