From 7f3fa1c3162bb6b18a62c124f1235772ebb693f1 Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Fri, 5 Aug 2022 09:55:03 -0400 Subject: [PATCH] SearchKit - Fix viewing search display for anonymous user This regressed in aa5d068b84f7ccd6370dd94339ecdc82c052a2c1 when the single SearchDisplay::run api call was replacd with an array of calls. The hack in alterApiRoutePermissions can't handle multiple calls. This updates it so that it can handle an array of calls - it will call the hook for each one and reject the request if any of them lack permission. --- CRM/Api4/Permission.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/CRM/Api4/Permission.php b/CRM/Api4/Permission.php index c179ad57c0..fa8d0ecca0 100644 --- a/CRM/Api4/Permission.php +++ b/CRM/Api4/Permission.php @@ -22,17 +22,29 @@ class CRM_Api4_Permission { public static function check() { - $config = CRM_Core_Config::singleton(); - $urlPath = explode('/', $_GET[$config->userFrameworkURLVar]); - $permissions = [ + $urlPath = explode('/', CRM_Utils_System::currentPath()); + $defaultPermissions = [ ['access CiviCRM', 'access AJAX API'], ]; if (!empty($urlPath[3])) { $entity = $urlPath[3]; $action = $urlPath[4]; + $permissions = $defaultPermissions; CRM_Utils_Hook::alterApiRoutePermissions($permissions, $entity, $action); + return CRM_Core_Permission::check($permissions); + } + else { + $calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST'); + $calls = json_decode($calls, TRUE); + foreach ($calls as $call) { + $permissions = $defaultPermissions; + CRM_Utils_Hook::alterApiRoutePermissions($permissions, $call[0], $call[1]); + if (!CRM_Core_Permission::check($permissions)) { + return FALSE; + } + } + return TRUE; } - return CRM_Core_Permission::check($permissions); } } -- 2.25.1