From 4f48bc0328197e213c55c3b2f894b88084d3133b Mon Sep 17 00:00:00 2001
From: Rich Lott / Artful Robot <code.commits@artfulrobot.uk>
Date: Mon, 3 Jul 2023 11:23:41 +0100
Subject: [PATCH] standalone: grant certain perms to 'everyone' role

---
 .../Civi/Standalone/Security.php              | 38 +++++++++----------
 .../init/StandaloneUsers.civi-setup.php       |  4 +-
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/ext/standaloneusers/Civi/Standalone/Security.php b/ext/standaloneusers/Civi/Standalone/Security.php
index 3014805bcd..fd106d1970 100644
--- a/ext/standaloneusers/Civi/Standalone/Security.php
+++ b/ext/standaloneusers/Civi/Standalone/Security.php
@@ -64,35 +64,35 @@ class Security {
   public function checkPermission(\CRM_Core_Permission_Standalone $permissionObject, string $permissionName, $userID) {
 
     // I think null means the current logged-in user
-    xdebug_break();
-    $userID = $userID ?? $this->getLoggedInUfID();
-
-    if (!$userID) {
-      // permissions for anonymous user. @todo
-      return FALSE;
-    }
+    $userID = $userID ?? $this->getLoggedInUfID() ?? 0;
 
     if (!isset(\Civi::$statics[__METHOD__][$userID])) {
-      if ($userID) {
+
+      $roleIDs = [];
+      if ($userID > 0) {
         $roleIDs = \Civi\Api4\User::get(FALSE)->addWhere('id', '=', $userID)
           ->addSelect('roles')->execute()->first()['roles'];
-        // Grant the 'Everyone' role, too.
-        $roleIDs[] = 1;
-      }
-      else {
-        // Everyone
-        $roleIDs = [1];
       }
 
-      $permissionsPerRole = \Civi\Api4\Role::get(FALSE)
+      $permissionsPerRoleApiCall = \Civi\Api4\Role::get(FALSE)
         ->addSelect('permissions')
-        ->addWhere('id', 'IN', $roleIDs)
-      // ->addWhere('is_active', '=', TRUE) @todo
-        ->execute()->column('permissions');
-      $permissions = array_unique(array_merge(...$permissionsPerRole));
+        ->addWhere('is_active', '=', TRUE);
+
+      if ($roleIDs) {
+        $permissionsPerRoleApiCall->addClause(
+          'OR',
+          ['id', 'IN', $roleIDs],
+          ['name', '=', 'everyone'],
+        );
+      }
+      else {
+        $permissionsPerRoleApiCall->addWhere('name', '=', 'everyone');
+      }
+      $permissions = array_unique(array_merge(...$permissionsPerRoleApiCall->execute()->column('permissions')));
       \Civi::$statics[__METHOD__][$userID] = $permissions;
     }
 
+    // print "Does user $userID have $permissionName? " . (in_array($permissionName, \Civi::$statics[__METHOD__][$userID]) ? 'yes': 'no') . "\n";
     return in_array($permissionName, \Civi::$statics[__METHOD__][$userID]);
   }
 
diff --git a/setup/plugins/init/StandaloneUsers.civi-setup.php b/setup/plugins/init/StandaloneUsers.civi-setup.php
index b8a3b0bfed..c8c886eebc 100644
--- a/setup/plugins/init/StandaloneUsers.civi-setup.php
+++ b/setup/plugins/init/StandaloneUsers.civi-setup.php
@@ -48,8 +48,8 @@ if (!defined('CIVI_SETUP')) {
         [
           'name' => 'everyone',
           'label' => 'Everyone, including anonymous users',
-    // @todo some standard ones, e.g. view civimail.
-          'permissions' => [],
+          // Provide default open permissions
+          'permissions' => ['CiviMail subscribe/unsubscribe pages', 'make online contributions'],
         ],
         [
           'name' => 'admin',
-- 
2.25.1