From 93aa16c230c43370a2e67ec8618a6e88f3528dbb Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Thu, 23 Jun 2022 20:32:50 -0400 Subject: [PATCH] RecentItems - Enforce permissions before adding item --- CRM/Utils/Recent.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/CRM/Utils/Recent.php b/CRM/Utils/Recent.php index ab28c07ae9..f09ce294bb 100644 --- a/CRM/Utils/Recent.php +++ b/CRM/Utils/Recent.php @@ -80,8 +80,18 @@ class CRM_Utils_Recent { * Create function used by the API - supplies defaults * * @param array $params + * @param Civi\Api4\Generic\AbstractAction $action */ - public static function create(array $params) { + public static function create(array $params, Civi\Api4\Generic\AbstractAction $action) { + if ($action->getCheckPermissions()) { + $allowed = civicrm_api4($params['entity_type'], 'checkAccess', [ + 'action' => 'get', + 'values' => ['id' => $params['entity_id']], + ], 0); + if (empty($allowed['access'])) { + return []; + } + } $params['title'] = $params['title'] ?? self::getTitle($params['entity_type'], $params['entity_id']); $params['view_url'] = $params['view_url'] ?? self::getUrl($params['entity_type'], $params['entity_id'], 'view'); $params['edit_url'] = $params['edit_url'] ?? self::getUrl($params['entity_type'], $params['entity_id'], 'update'); @@ -186,7 +196,7 @@ class CRM_Utils_Recent { ], 0); $title = $record[$labelField] ?? NULL; } - return $title ?? (CoreUtil::getInfoItem($entityType, 'label_field')); + return $title ?? (CoreUtil::getInfoItem($entityType, 'title')); } /** -- 2.25.1