From 2ffa31a8952701e8f7d701d8efed86d663665702 Mon Sep 17 00:00:00 2001 From: Patrick Figel Date: Tue, 5 Feb 2019 18:04:07 +0100 Subject: [PATCH] dev/core#690 - Civi\API - Add a check on entity_table existing This adds a check in DynamicFKAuthorization to verify that the entity_table in the API request actually exists as a table. Additionally, this changes a test case in api_v3_AttachmentTest to enable permission checking. This is necessary because the change to DynamicFKAuthorization means trusted API calls can now attach files to *any* entity unless check_permissions is set, in which case it's only possible for allowed delegates. --- Civi/API/Subscriber/DynamicFKAuthorization.php | 3 +++ tests/phpunit/api/v3/AttachmentTest.php | 1 + 2 files changed, 4 insertions(+) diff --git a/Civi/API/Subscriber/DynamicFKAuthorization.php b/Civi/API/Subscriber/DynamicFKAuthorization.php index aade5b2968..daddd72af9 100644 --- a/Civi/API/Subscriber/DynamicFKAuthorization.php +++ b/Civi/API/Subscriber/DynamicFKAuthorization.php @@ -179,6 +179,9 @@ class DynamicFKAuthorization implements EventSubscriberInterface { } if (isset($apiRequest['params']['entity_table'])) { + if (!\CRM_Core_DAO_AllCoreTables::isCoreTable($apiRequest['params']['entity_table'])) { + throw new \API_Exception("Unrecognized target entity table {$apiRequest['params']['entity_table']}"); + } $this->authorizeDelegate( $apiRequest['action'], $apiRequest['params']['entity_table'], diff --git a/tests/phpunit/api/v3/AttachmentTest.php b/tests/phpunit/api/v3/AttachmentTest.php index d98b4ca585..bc2cf65703 100644 --- a/tests/phpunit/api/v3/AttachmentTest.php +++ b/tests/phpunit/api/v3/AttachmentTest.php @@ -160,6 +160,7 @@ class api_v3_AttachmentTest extends CiviUnitTestCase { 'mime_type' => 'text/plain', 'description' => 'My test description', 'content' => 'My test content', + 'check_permissions' => 1, ), "/Unrecognized target entity/", ); -- 2.25.1