Implement getAccess for custom entities

civicrm · May 7, 2021 · f976685 · f976685
1 parent d5d728c
commit f976685
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/CRM/Core/BAO/CustomValue.php b/CRM/Core/BAO/CustomValue.php
@@ -221,4 +221,32 @@ public function addSelectWhereClause() {
     return $clauses;
   }
 
+  /**
+   * Special checkAccess function for multi-record custom pseudo-entities
+   *
+   * @param string $action
+   * @param array $record
+   * @param null $userID
+   * @param bool $granted
+   * @param string $groupName
+   * @return bool
+   */
+  public static function checkAccess(string $action, array $record, $userID = NULL, $granted = TRUE, $groupName = NULL): bool {
+    if (!$groupName) {
+      // $groupName is required but the function signature has to match the parent.
+      throw new CRM_Core_Exception('Missing required $groupName in CustomValue::checkAccess');
+    }
+    // Currently, multi-record custom data always extends Contacts
+    $cid = $record['entity_id'] ?? NULL;
+    if (!$cid) {
+      $tableName = CRM_Core_DAO::getFieldValue('CRM_Core_DAO_CustomGroup', $groupName, 'table_name', 'name');
+      $cid = CRM_Core_DAO::singleValueQuery("SELECT entity_id FROM `$tableName` WHERE id = " . (int) $record['id']);
+    }
+    $granted = CRM_Contact_BAO_Contact::checkAccess(CRM_Core_Permission::EDIT, ['id' => $cid], $userID, $granted);
+
+    // Dispatch to hook
+    CRM_Utils_Hook::checkAccess("Custom_$groupName", $action, $record, $userID, $granted);
+    return $granted;
+  }
+
 }
diff --git a/Civi/Api4/Utils/CoreUtil.php b/Civi/Api4/Utils/CoreUtil.php
@@ -175,9 +175,13 @@ public static function checkAccess(string $entityName, string $actionName, array
       $granted = $granted && $action->addSelect('id')->addWhere('id', '=', $record['id'])->execute()->count();
     }
     else {
-      $baoName = self::getBAOFromApiName($entityName);
       // If entity has a BAO, run the BAO::checkAccess function, which will call the hook
-      if ($baoName && strpos($baoName, '_BAO_')) {
+      $baoName = self::getBAOFromApiName($entityName);
+      // CustomValue also requires the name of the group
+      if ($baoName === 'CRM_Core_BAO_CustomValue') {
+        $granted = \CRM_Core_BAO_CustomValue::checkAccess($actionName, $record, NULL, $granted, substr($entityName, 7));
+      }
+      elseif ($baoName) {
         $granted = $baoName::checkAccess($actionName, $record, NULL, $granted);
       }
       // Otherwise, call the hook directly