From: colemanw <coleman@civicrm.org>
Date: Thu, 21 Dec 2023 03:29:23 +0000 (-0500)
Subject: APIv4 - Fix getLinks permission checks
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=9f638e7fc4a915c6f77acd34f1126364752a0967;p=civicrm-core.git

APIv4 - Fix getLinks permission checks

The getLinks action checks all permissions internally, so should not have any
external gatekeeper checks applied.
---

diff --git a/Civi/Api4/Event/Subscriber/PermissionCheckSubscriber.php b/Civi/Api4/Event/Subscriber/PermissionCheckSubscriber.php
index 454dbc0735..2561a40946 100644
--- a/Civi/Api4/Event/Subscriber/PermissionCheckSubscriber.php
+++ b/Civi/Api4/Event/Subscriber/PermissionCheckSubscriber.php
@@ -42,7 +42,12 @@ class PermissionCheckSubscriber extends \Civi\Core\Service\AutoService implement
     /** @var \Civi\Api4\Generic\AbstractAction $apiRequest */
     $apiRequest = $event->getApiRequest();
     if ($apiRequest['version'] == 4) {
-      if (!$apiRequest->getCheckPermissions() || $apiRequest->isAuthorized(\CRM_Core_Session::singleton()->getLoggedInContactID())) {
+      if (
+        !$apiRequest->getCheckPermissions() ||
+        // This action checks permissions internally
+        $apiRequest->getActionName() === 'getLinks' ||
+        $apiRequest->isAuthorized(\CRM_Core_Session::singleton()->getLoggedInContactID())
+      ) {
         $event->authorize();
         $event->stopPropagation();
       }
diff --git a/ext/search_kit/tests/phpunit/api/v4/SearchDisplay/SearchRunTest.php b/ext/search_kit/tests/phpunit/api/v4/SearchDisplay/SearchRunTest.php
index ade06c0854..b388174f9b 100644
--- a/ext/search_kit/tests/phpunit/api/v4/SearchDisplay/SearchRunTest.php
+++ b/ext/search_kit/tests/phpunit/api/v4/SearchDisplay/SearchRunTest.php
@@ -6,6 +6,7 @@ require_once __DIR__ . '/../../../../../../../tests/phpunit/api/v4/Api4TestBase.
 
 use api\v4\Api4TestBase;
 use Civi\API\Exception\UnauthorizedException;
+use Civi\Api4\Action\GetLinks;
 use Civi\Api4\Activity;
 use Civi\Api4\Address;
 use Civi\Api4\Contact;
@@ -2049,6 +2050,9 @@ class SearchRunTest extends Api4TestBase implements TransactionalInterface {
     $this->assertCount(0, $result->toolbar);
     // With 'add contacts' permission the button will be shown
     \CRM_Core_Config::singleton()->userPermissionClass->permissions[] = 'add contacts';
+    // Clear getLinks cache after changing permissions
+    \Civi::$statics[GetLinks::class] = [];
+
     $result = civicrm_api4('SearchDisplay', 'run', $params);
     $this->assertCount(1, $result->toolbar);
     $button = $result->toolbar[0];