Merge pull request #24180 from totten/master-sk-anon

SearchKit - Fix viewing search display for anonymous user
civicrm · Aug 9, 2022 · 4d51fa5 · 4d51fa5
2 parents d5b2b3f + 56adca7
commit 4d51fa5
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 6 deletions.
diff --git a/CRM/Api4/Page/AJAX.php b/CRM/Api4/Page/AJAX.php
@@ -58,17 +58,18 @@ public function run() {
       CRM_Utils_System::civiExit();
     }
     try {
-      // Call multiple
+      // Two call formats. Which one was used? Note: CRM_Api4_Permission::check() and CRM_Api4_Page_AJAX::run() should have matching conditionals.
       if (empty($this->urlPath[3])) {
+        // Received multi-call format
         $calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST');
         $calls = json_decode($calls, TRUE);
         $response = [];
         foreach ($calls as $index => $call) {
           $response[$index] = call_user_func_array([$this, 'execute'], $call);
         }
       }
-      // Call single
       else {
+        // Received single-call format
         $entity = $this->urlPath[3];
         $action = $this->urlPath[4];
         $params = CRM_Utils_Request::retrieve('params', 'String');

diff --git a/CRM/Api4/Permission.php b/CRM/Api4/Permission.php
@@ -22,17 +22,32 @@
 class CRM_Api4_Permission {
 
   public static function check() {
-    $config = CRM_Core_Config::singleton();
-    $urlPath = explode('/', $_GET[$config->userFrameworkURLVar]);
-    $permissions = [
+    $urlPath = explode('/', CRM_Utils_System::currentPath());
+    $defaultPermissions = [
       ['access CiviCRM', 'access AJAX API'],
     ];
+    // Two call formats. Which one was used? Note: CRM_Api4_Permission::check() and CRM_Api4_Page_AJAX::run() should have matching conditionals.
     if (!empty($urlPath[3])) {
+      // Received single-call format
       $entity = $urlPath[3];
       $action = $urlPath[4];
+      $permissions = $defaultPermissions;
       CRM_Utils_Hook::alterApiRoutePermissions($permissions, $entity, $action);
+      return CRM_Core_Permission::check($permissions);
+    }
+    else {
+      // Received multi-call format
+      $calls = CRM_Utils_Request::retrieve('calls', 'String', CRM_Core_DAO::$_nullObject, TRUE, NULL, 'POST');
+      $calls = json_decode($calls, TRUE);
+      foreach ($calls as $call) {
+        $permissions = $defaultPermissions;
+        CRM_Utils_Hook::alterApiRoutePermissions($permissions, $call[0], $call[1]);
+        if (!CRM_Core_Permission::check($permissions)) {
+          return FALSE;
+        }
+      }
+      return TRUE;
     }
-    return CRM_Core_Permission::check($permissions);
   }
 
 }