From: colemanw <coleman@civicrm.org>
Date: Mon, 11 Sep 2023 23:17:40 +0000 (-0400)
Subject: APIv4 - Giving up on fine-grained File ACLs for now
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=c173c010c05d08b9ef0b8ff09f6d9b4b3a15a25c;p=civicrm-core.git

APIv4 - Giving up on fine-grained File ACLs for now
---

diff --git a/CRM/Core/BAO/File.php b/CRM/Core/BAO/File.php
index 0837317f1e..98b5abd38a 100644
--- a/CRM/Core/BAO/File.php
+++ b/CRM/Core/BAO/File.php
@@ -838,8 +838,11 @@ HEREDOC;
    * @inheritDoc
    */
   public function addSelectWhereClause() {
-    // We always return an array with these keys, even if they are empty,
-    // because this tells the query builder that we have considered these fields for acls
+    // TODO: This seemded like a good idea... piggybacking off the ACL clause of EntityFile
+    // however that's too restrictive because entityFile ACLs are limited to just attachments,
+    // so this would prevent access to other file fields (e.g. custom fields)
+    // Disabling this function for now by calling the parent instead.
+    return parent::addSelectWhereClause();
     $clauses = [
       'id' => [],
     ];
diff --git a/tests/phpunit/api/v4/Action/EntityFileTest.php b/tests/phpunit/api/v4/Action/EntityFileTest.php
index 9df5d3b11e..c3a5bf5dd5 100644
--- a/tests/phpunit/api/v4/Action/EntityFileTest.php
+++ b/tests/phpunit/api/v4/Action/EntityFileTest.php
@@ -22,7 +22,6 @@ namespace api\v4\Action;
 use api\v4\Api4TestBase;
 use Civi\Api4\Activity;
 use Civi\Api4\EntityFile;
-use Civi\Api4\File;
 use Civi\Api4\Note;
 use Civi\Core\HookInterface;
 use Civi\Test\TransactionalInterface;
@@ -75,14 +74,15 @@ class EntityFileTest extends Api4TestBase implements TransactionalInterface, Hoo
     // Results should have been filtered by allowed contacts
     $this->assertCount(2, $allowedEntityFiles);
 
-    $allowedFiles = File::get()
-      ->addWhere('id', 'IN', $file)
-      ->setDebug(TRUE)
-      ->execute();
-    // ACL clause should have been inserted
-    $this->assertStringContainsString('civicrm_acl_contact_cache', $allowedFiles->debug['sql'][0]);
-    // Results should have been filtered by allowed contacts
-    $this->assertCount(2, $allowedFiles);
+    // Disabling - see comment in CRM_Core_BAO_File::addSelectWhereClause()
+    //  $allowedFiles = File::get()
+    //    ->addWhere('id', 'IN', $file)
+    //    ->setDebug(TRUE)
+    //    ->execute();
+    //  // ACL clause should have been inserted
+    //  $this->assertStringContainsString('civicrm_acl_contact_cache', $allowedFiles->debug['sql'][0]);
+    //  // Results should have been filtered by allowed contacts
+    //  $this->assertCount(2, $allowedFiles);
 
     $allowedNotes = Note::get()
       ->addJoin('File AS file', 'LEFT', 'EntityFile', ['file.entity_id', '=', 'id'], ['file.entity_table', '=', '"civicrm_note"'])