From 1364a6d01d97b49f2d3c2a55fd5f00b0d7bfaf44 Mon Sep 17 00:00:00 2001 From: colemanw Date: Sun, 10 Sep 2023 20:20:35 -0400 Subject: [PATCH] Document that civi.api4.authorizeRecord does not work for get actions --- Civi/Api4/Event/AuthorizeRecordEvent.php | 3 ++- tests/phpunit/api/v4/Entity/ConformanceTest.php | 10 +++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/Civi/Api4/Event/AuthorizeRecordEvent.php b/Civi/Api4/Event/AuthorizeRecordEvent.php index 5fc1db1c4e..dd0e4c55e2 100644 --- a/Civi/Api4/Event/AuthorizeRecordEvent.php +++ b/Civi/Api4/Event/AuthorizeRecordEvent.php @@ -16,7 +16,8 @@ use Civi\API\Event\RequestTrait; use Civi\Core\Event\GenericHookEvent; /** - * Determine if the a user has access to a given record. + * Determine if the a user has WRITE access to a given record. + * This event does not impact READ access for `get` actions. * * Event name: 'civi.api4.authorizeRecord' */ diff --git a/tests/phpunit/api/v4/Entity/ConformanceTest.php b/tests/phpunit/api/v4/Entity/ConformanceTest.php index 75fa3b9ca3..8fd04eaf73 100644 --- a/tests/phpunit/api/v4/Entity/ConformanceTest.php +++ b/tests/phpunit/api/v4/Entity/ConformanceTest.php @@ -147,7 +147,8 @@ class ConformanceTest extends Api4TestBase implements HookInterface { $this->checkCreationDenied($entityName, $entityClass); $id = $this->checkCreation($entityName, $entityClass); $getResult = $this->checkGet($entityName, $id); - $this->checkGetAllowed($entityClass, $id, $entityName); + // civi.api4.authorizeRecord does not work on `get` actions + // $this->checkGetAllowed($entityClass, $id, $entityName); $this->checkGetCount($entityClass, $id, $entityName); $this->checkUpdateFailsFromCreate($entityClass, $id); $this->checkUpdate($entityName, $getResult); @@ -347,12 +348,7 @@ class ConformanceTest extends Api4TestBase implements HookInterface { } /** - * Use a permissioned request for `get()`, with access grnted - * via checkAccess event. - * - * @param \Civi\Api4\Generic\AbstractEntity|string $entityClass - * @param int $id - * @param string $entity + * FIXME: Not working. `civi.api4.authorizeRecord` does not work on `get` actions. */ protected function checkGetAllowed($entityClass, $id, $entity) { $this->setCheckAccessGrants(["{$entity}::get" => TRUE]); -- 2.25.1