From 3403fa147bae3cd68a80054829129fb867c863b7 Mon Sep 17 00:00:00 2001 From: colemanw Date: Sun, 3 Dec 2023 17:02:56 +0000 Subject: [PATCH] APIv4 - Super-admins don't always have access to everything --- Civi/Api4/Utils/CoreUtil.php | 5 ----- ext/search_kit/CRM/Search/BAO/SearchDisplay.php | 9 ++++++--- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/Civi/Api4/Utils/CoreUtil.php b/Civi/Api4/Utils/CoreUtil.php index 7a1e4493d9..bb5fa2be89 100644 --- a/Civi/Api4/Utils/CoreUtil.php +++ b/Civi/Api4/Utils/CoreUtil.php @@ -242,11 +242,6 @@ class CoreUtil { $userID = $userID ?? \CRM_Core_Session::getLoggedInContactID() ?? 0; $idField = self::getIdFieldName($apiRequest->getEntityName()); - // Super-admins always have access to everything - if (\CRM_Core_Permission::check('all CiviCRM permissions and ACLs', $userID)) { - return TRUE; - } - // For get actions, just run a get and ACLs will be applied to the query. // It's a cheap trick and not as efficient as not running the query at all, // but BAO::checkAccess doesn't consistently check permissions for the "get" action. diff --git a/ext/search_kit/CRM/Search/BAO/SearchDisplay.php b/ext/search_kit/CRM/Search/BAO/SearchDisplay.php index c52b411427..3ab1f66a00 100644 --- a/ext/search_kit/CRM/Search/BAO/SearchDisplay.php +++ b/ext/search_kit/CRM/Search/BAO/SearchDisplay.php @@ -24,9 +24,12 @@ class CRM_Search_BAO_SearchDisplay extends CRM_Search_DAO_SearchDisplay { * @return bool */ public static function _checkAccess(string $entityName, string $action, array $record, int $userCID) { - // If we hit this function at all, the user is not a super-admin - // But they must be at least a SearchKit administrator - if (!CRM_Core_Permission::check([['administer CiviCRM data', 'administer search_kit']])) { + // Super-admins can do anything with search displays + if (CRM_Core_Permission::check('all CiviCRM permissions and ACLs', $userCID)) { + return TRUE; + } + // Must be at least a SearchKit administrator + if (!CRM_Core_Permission::check([['administer CiviCRM data', 'administer search_kit']], $userCID)) { return FALSE; } if (in_array($action, ['create', 'update'], TRUE)) { -- 2.25.1