From ee0d82c6681c1f26bc7f08367127712fc2298a36 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Tue, 7 Jun 2022 20:20:13 -0400
Subject: [PATCH] Oauth - Use selectWhereClause to check perms instead of
 overriding API4 Get

Putting permission checks in the BAO ensures that they are always enforced
regardless of which layer accesses them (Api3, Api4, etc) and that they will be
enforced even if this is not the primary entity of the api call (e.g. using joins).
---
 .../CRM/OAuth/BAO/OAuthContactToken.php       | 23 +++++++++++++++
 .../Api4/Action/OAuthContactToken/Get.php     | 29 -------------------
 .../Civi/Api4/OAuthContactToken.php           |  5 ----
 3 files changed, 23 insertions(+), 34 deletions(-)
 delete mode 100644 ext/oauth-client/Civi/Api4/Action/OAuthContactToken/Get.php

diff --git a/ext/oauth-client/CRM/OAuth/BAO/OAuthContactToken.php b/ext/oauth-client/CRM/OAuth/BAO/OAuthContactToken.php
index 920707b34f..c6b2add4d3 100644
--- a/ext/oauth-client/CRM/OAuth/BAO/OAuthContactToken.php
+++ b/ext/oauth-client/CRM/OAuth/BAO/OAuthContactToken.php
@@ -2,4 +2,27 @@
 
 class CRM_OAuth_BAO_OAuthContactToken extends CRM_OAuth_DAO_OAuthContactToken {
 
+  /**
+   * @inheritDoc
+   */
+  public function addSelectWhereClause() {
+    $clauses = [];
+    $loggedInContactID = CRM_Core_Session::getLoggedInContactID();
+
+    // With 'manage all' permission, apply standard contact ACLs
+    if (CRM_Core_Permission::check(['manage all OAuth contact tokens'])) {
+      $clauses['contact_id'] = CRM_Utils_SQL::mergeSubquery('Contact');
+    }
+    // With 'manage my' permission, limit to just the current user
+    elseif ($loggedInContactID && CRM_Core_Permission::check(['manage my OAuth contact tokens'])) {
+      $clauses['contact_id'] = "= $loggedInContactID";
+    }
+    // No permission, return nothing
+    else {
+      $clauses['contact_id'] = "= -1";
+    }
+    CRM_Utils_Hook::selectWhereClause($this, $clauses);
+    return $clauses;
+  }
+
 }
diff --git a/ext/oauth-client/Civi/Api4/Action/OAuthContactToken/Get.php b/ext/oauth-client/Civi/Api4/Action/OAuthContactToken/Get.php
deleted file mode 100644
index 346dd90883..0000000000
--- a/ext/oauth-client/Civi/Api4/Action/OAuthContactToken/Get.php
+++ /dev/null
@@ -1,29 +0,0 @@
-<?php
-
-
-namespace Civi\Api4\Action\OAuthContactToken;
-
-class Get extends \Civi\Api4\Generic\DAOGetAction {
-
-  protected function setDefaultWhereClause() {
-    $this->applyContactTokenPermissions();
-    parent::setDefaultWhereClause();
-  }
-
-  private function applyContactTokenPermissions() {
-    if (!$this->getCheckPermissions()) {
-      return;
-    }
-    if (\CRM_Core_Permission::check(['manage all OAuth contact tokens'])) {
-      return;
-    }
-    if (\CRM_Core_Permission::check(['manage my OAuth contact tokens'])) {
-      $loggedInContactID = \CRM_Core_Session::singleton()
-        ->getLoggedInContactID();
-      $this->addWhere('contact_id', '=', $loggedInContactID);
-      return;
-    }
-    throw new \Civi\API\Exception\UnauthorizedException(ts('Insufficient permissions to get contact tokens'));
-  }
-
-}
diff --git a/ext/oauth-client/Civi/Api4/OAuthContactToken.php b/ext/oauth-client/Civi/Api4/OAuthContactToken.php
index 59cd596251..55f2fe55e5 100644
--- a/ext/oauth-client/Civi/Api4/OAuthContactToken.php
+++ b/ext/oauth-client/Civi/Api4/OAuthContactToken.php
@@ -17,11 +17,6 @@ class OAuthContactToken extends Generic\DAOEntity {
     return $action->setCheckPermissions($checkPermissions);
   }
 
-  public static function get($checkPermissions = TRUE) {
-    $action = new Action\OAuthContactToken\Get(static::class, __FUNCTION__);
-    return $action->setCheckPermissions($checkPermissions);
-  }
-
   public static function update($checkPermissions = TRUE) {
     $action = new Action\OAuthContactToken\Update(static::class, __FUNCTION__);
     return $action->setCheckPermissions($checkPermissions);
-- 
2.25.1