From 3be398f67a002a89df405b25667c99586036ff21 Mon Sep 17 00:00:00 2001
From: Eileen McNaughton <emcnaughton@wikimedia.org>
Date: Sun, 2 Apr 2023 14:48:29 +1200
Subject: [PATCH] Removed edit-in-place options from Import views on imported
 rows.

It's confusing to the user to be able to edit the records when they
are already imported. This is not a real security thing - more
of a UI thing - but Coleman recommends implementing through
checkAccess. I did leave open the back door of being able to edit it
if the status is now present as there isn't a real reason they shouldn't -
just that it is confusing to present edit-in-place, except when they could
edit & re-try the import
---
 ext/civiimport/Civi/Api4/Import.php           |  2 +-
 .../Civi/Api4/Import/CheckAccessAction.php    | 81 +++++++++++++++++++
 2 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 ext/civiimport/Civi/Api4/Import/CheckAccessAction.php

diff --git a/ext/civiimport/Civi/Api4/Import.php b/ext/civiimport/Civi/Api4/Import.php
index e5ac05749a..e260cad411 100644
--- a/ext/civiimport/Civi/Api4/Import.php
+++ b/ext/civiimport/Civi/Api4/Import.php
@@ -10,7 +10,7 @@
  */
 namespace Civi\Api4;
 
-use Civi\Api4\Generic\CheckAccessAction;
+use Civi\Api4\Import\CheckAccessAction;
 use Civi\Api4\Generic\DAOGetAction;
 use Civi\Api4\Generic\DAOGetFieldsAction;
 use Civi\Api4\Action\GetActions;
diff --git a/ext/civiimport/Civi/Api4/Import/CheckAccessAction.php b/ext/civiimport/Civi/Api4/Import/CheckAccessAction.php
new file mode 100644
index 0000000000..04d01020e5
--- /dev/null
+++ b/ext/civiimport/Civi/Api4/Import/CheckAccessAction.php
@@ -0,0 +1,81 @@
+<?php
+
+/*
+ +--------------------------------------------------------------------+
+ | Copyright CiviCRM LLC. All rights reserved.                        |
+ |                                                                    |
+ | This work is published under the GNU AGPLv3 license with some      |
+ | permitted exceptions and without any warranty. For full license    |
+ | and copyright information, see https://civicrm.org/licensing       |
+ +--------------------------------------------------------------------+
+ */
+
+namespace Civi\Api4\Import;
+
+use Civi\API\Exception\UnauthorizedException;
+use Civi\API\Request;
+use Civi\Api4\Generic\AbstractAction;
+use Civi\Api4\Generic\Result;
+use Civi\Api4\Generic\Traits\GetSetValueTrait;
+use Civi\Api4\Utils\CoreUtil;
+
+/**
+ * Check if current user is authorized to perform specified action on a given $ENTITY.
+ *
+ * @method $this setAction(string $action)
+ * @method string getAction()
+ * @method $this setValues(array $values)
+ * @method array getValues()
+ */
+class CheckAccessAction extends AbstractAction {
+
+  use GetSetValueTrait;
+
+  /**
+   * @var string
+   * @required
+   */
+  protected $action;
+
+  /**
+   * @var array
+   * @required
+   */
+  protected $values = [];
+
+  /**
+   * @param \Civi\Api4\Generic\Result $result
+   */
+  public function _run(Result $result) {
+    // Prevent circular checks
+    $action = $this->action;
+    $entity = $this->getEntityName();
+    $userID = \CRM_Core_Session::getLoggedInContactID() ?: 0;
+    if ($action === 'checkAccess') {
+      $granted = TRUE;
+    }
+    elseif (isset(\Civi::$statics[__CLASS__ . $entity][$action][$userID])) {
+      $granted = \Civi::$statics[__CLASS__ . $entity][$action][$userID];
+    }
+    // If _status is not passed we could do a look up - but this permission is more of a
+    // UI thing than a true permission - ie the point is not to confuse the user
+    // with a meaningless option to edit-in-place in the search so it's kinda optional.
+    elseif (in_array($this->getValue('_status'), ['soft_credit_imported', 'pledge_payment_imported', 'IMPORTED'])) {
+      $granted = \Civi::$statics[__CLASS__ . $entity][$action][$userID] = FALSE;
+    }
+    else {
+      $granted = \Civi::$statics[__CLASS__ . $entity][$action][$userID] = CoreUtil::checkAccessDelegated($entity, $action, $this->values, $userID);
+    }
+    $result->exchangeArray([['access' => $granted]]);
+  }
+
+  /**
+   * This action is always allowed
+   *
+   * @return bool
+   */
+  public function isAuthorized(): bool {
+    return TRUE;
+  }
+
+}
-- 
2.25.1