From 01aa61a33a956c80b148799a27f64b1787d63277 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 18 Dec 2019 21:43:05 -0800
Subject: [PATCH] Afform.{prefill,submit} - APIs should respect `permission`

---
 .../Api4/Action/Afform/AbstractProcessor.php  |  6 ++++
 .../tests/phpunit/api/v4/AfformUsageTest.php  | 36 +++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/ext/afform/core/Civi/Api4/Action/Afform/AbstractProcessor.php b/ext/afform/core/Civi/Api4/Action/Afform/AbstractProcessor.php
index 2249edbdf0..e5cc41258f 100644
--- a/ext/afform/core/Civi/Api4/Action/Afform/AbstractProcessor.php
+++ b/ext/afform/core/Civi/Api4/Action/Afform/AbstractProcessor.php
@@ -35,6 +35,12 @@ abstract class AbstractProcessor extends \Civi\Api4\Generic\AbstractAction {
   public function _run(Result $result) {
     // This will throw an exception if the form doesn't exist
     $this->_afform = (array) civicrm_api4('Afform', 'get', ['checkPermissions' => FALSE, 'where' => [['name', '=', $this->name]]], 0);
+    if ($this->getCheckPermissions()) {
+      if (!\CRM_Core_Permission::check("@afform:" . $this->_afform['name'])) {
+        throw new \Civi\API\Exception\UnauthorizedException("Authorization failed: Cannot process form " . $this->_afform['name']);
+      }
+    }
+
     $this->_formDataModel = FormDataModel::create($this->_afform['layout']);
     $this->validateArgs();
     $result->exchangeArray($this->processForm());
diff --git a/ext/afform/mock/tests/phpunit/api/v4/AfformUsageTest.php b/ext/afform/mock/tests/phpunit/api/v4/AfformUsageTest.php
index 128475d1f8..14823d2b42 100644
--- a/ext/afform/mock/tests/phpunit/api/v4/AfformUsageTest.php
+++ b/ext/afform/mock/tests/phpunit/api/v4/AfformUsageTest.php
@@ -71,6 +71,42 @@ EOHTML;
     $this->assertEquals('Lasty', $contact['last_name']);
   }
 
+  public function testAboutMeForbidden() {
+    $this->useValues([
+      'layout' => self::$layouts['aboutMe'],
+      'permission' => CRM_Core_Permission::ALWAYS_DENY_PERMISSION,
+    ]);
+
+    $this->createLoggedInUser();
+    CRM_Core_Config::singleton()->userPermissionTemp = new CRM_Core_Permission_Temp();
+
+    try {
+      Civi\Api4\Afform::prefill()
+        ->setName($this->formName)
+        ->setArgs([])
+        ->execute()
+        ->indexBy('name');
+      $this->fail('Expected authorization exception from Afform.prefill');
+    }
+    catch (\Civi\API\Exception\UnauthorizedException $e) {
+      $this->assertRegExp(';Authorization failed: Cannot process form mock\d+;', $e->getMessage());
+    }
+
+    try {
+      Civi\Api4\Afform::submit()
+        ->setName($this->formName)
+        ->setArgs([])
+        ->setValues([
+          'does.n' => 'tmatter',
+        ])
+        ->execute();
+      $this->fail('Expected authorization exception from Afform.submit');
+    }
+    catch (\Civi\API\Exception\UnauthorizedException $e) {
+      $this->assertRegExp(';Authorization failed: Cannot process form mock\d+;', $e->getMessage());
+    }
+  }
+
   protected function useValues($values) {
     $defaults = [
       'title' => 'My form',
-- 
2.25.1