From 1936f6c7c32bc087e847209a13484435439183cb Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Thu, 2 Jun 2022 23:29:30 -0400
Subject: [PATCH] APIv4 - Use api kernel to validate entity permissions

This allows extensions to expand permissions via the civi.api.authorize event,
instead of assuming that all permissions are hard-coded in the core entity.
---
 Civi/Api4/Utils/CoreUtil.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Civi/Api4/Utils/CoreUtil.php b/Civi/Api4/Utils/CoreUtil.php
index 22e87b73ce..3bd5ee9b1b 100644
--- a/Civi/Api4/Utils/CoreUtil.php
+++ b/Civi/Api4/Utils/CoreUtil.php
@@ -13,6 +13,7 @@
 namespace Civi\Api4\Utils;
 
 use Civi\API\Exception\NotImplementedException;
+use Civi\API\Exception\UnauthorizedException;
 use Civi\API\Request;
 use CRM_Core_DAO_AllCoreTables as AllCoreTables;
 
@@ -212,10 +213,16 @@ class CoreUtil {
    */
   public static function checkAccessDelegated(string $entityName, string $actionName, array $record, int $userID) {
     $apiRequest = Request::create($entityName, $actionName, ['version' => 4]);
-    // TODO: Should probably emit civi.api.authorize for checking guardian permission; but in APIv4 with std cfg, this is de-facto equivalent.
-    if (!$apiRequest->isAuthorized()) {
+    // First check gatekeeper permissions via the kernel
+    $kernel = \Civi::service('civi_api_kernel');
+    try {
+      [$actionObjectProvider] = $kernel->resolve($apiRequest);
+      $kernel->authorize($actionObjectProvider, $apiRequest);
+    }
+    catch (UnauthorizedException $e) {
       return FALSE;
     }
+    // Gatekeeper permission check passed, now check fine-grained permission
     return static::checkAccessRecord($apiRequest, $record, $userID);
   }
 
-- 
2.25.1