From 0d20e81c8302affeda7fe7c9325cc6e5170366cd Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Fri, 24 Apr 2020 15:32:42 -0400
Subject: [PATCH] APIv4 - Enforce contact field permissions via metadata
 instead of class override

Now that 'permission' metadata has been added to the schema, there's no need for specialized code for that field.
This adds generic code to handle any field with permissions declared.
---
 Civi/Api4/Action/Contact/GetFields.php     | 39 ----------------------
 Civi/Api4/Contact.php                      |  7 ----
 Civi/Api4/Generic/BasicGetFieldsAction.php |  8 +++++
 3 files changed, 8 insertions(+), 46 deletions(-)
 delete mode 100644 Civi/Api4/Action/Contact/GetFields.php

diff --git a/Civi/Api4/Action/Contact/GetFields.php b/Civi/Api4/Action/Contact/GetFields.php
deleted file mode 100644
index 7c1431ab53..0000000000
--- a/Civi/Api4/Action/Contact/GetFields.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-
-/*
- +--------------------------------------------------------------------+
- | Copyright CiviCRM LLC. All rights reserved.                        |
- |                                                                    |
- | This work is published under the GNU AGPLv3 license with some      |
- | permitted exceptions and without any warranty. For full license    |
- | and copyright information, see https://civicrm.org/licensing       |
- +--------------------------------------------------------------------+
- */
-
-/**
- *
- * @package CRM
- * @copyright CiviCRM LLC https://civicrm.org/licensing
- */
-
-namespace Civi\Api4\Action\Contact;
-
-use Civi\Api4\Generic\DAOGetFieldsAction;
-
-/**
- * @inheritDoc
- */
-class GetFields extends DAOGetFieldsAction {
-
-  protected function getRecords() {
-    $fields = parent::getRecords();
-
-    $apiKeyPerms = ['edit api keys', 'administer CiviCRM'];
-    if ($this->checkPermissions && !\CRM_Core_Permission::check([$apiKeyPerms])) {
-      unset($fields['api_key']);
-    }
-
-    return $fields;
-  }
-
-}
diff --git a/Civi/Api4/Contact.php b/Civi/Api4/Contact.php
index 920917028f..9e13c833c4 100644
--- a/Civi/Api4/Contact.php
+++ b/Civi/Api4/Contact.php
@@ -32,13 +32,6 @@ namespace Civi\Api4;
  */
 class Contact extends Generic\DAOEntity {
 
-  /**
-   * @return \Civi\Api4\Action\Contact\GetFields|Generic\DAOGetFieldsAction
-   */
-  public static function getFields() {
-    return new Action\Contact\GetFields(__CLASS__, __FUNCTION__);
-  }
-
   /**
    * @return \Civi\Api4\Action\Contact\GetChecksum
    */
diff --git a/Civi/Api4/Generic/BasicGetFieldsAction.php b/Civi/Api4/Generic/BasicGetFieldsAction.php
index 553d5bed22..9c2c577a15 100644
--- a/Civi/Api4/Generic/BasicGetFieldsAction.php
+++ b/Civi/Api4/Generic/BasicGetFieldsAction.php
@@ -103,6 +103,14 @@ class BasicGetFieldsAction extends BasicGetAction {
    */
   protected function padResults(&$values) {
     $fields = array_column($this->fields(), 'name');
+    // Enforce field permissions
+    if ($this->checkPermissions) {
+      foreach ($values as $key => $field) {
+        if (!empty($field['permission']) && !\CRM_Core_Permission::check($field['permission'])) {
+          unset($values[$key]);
+        }
+      }
+    }
     foreach ($values as &$field) {
       $defaults = array_intersect_key([
         'title' => empty($field['name']) ? NULL : ucwords(str_replace('_', ' ', $field['name'])),
-- 
2.25.1