Add checkAccess API & BAO functions + hook_civicrm_checkAccess

[colemanw]

Overview

This combines work done by @eileenmcnaughton in #20035 with WIP from #19837 to make a checkAccess function that works at both the APIv4 and BAO layers. It standardizes on api-style entity & action names, and provides hooks the opportunity to escalate permissions or deny access on a per-record basis.

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[eileenmcnaughton]

Yeah I am thinking about my previous approach - I guess that although we can do WHERE on the update & delete we actually call each one individually. As long as we are not having to decide about too many edit links at once then checking 1 by one is OK

[eileenmcnaughton]

I think this should be clarified as the contact is whose permissions are being checked (otherwise on some api it could be the contact who we want to know about permission to)

[eileenmcnaughton]

This all looks good & I think we have test cover in the changes to the financialacls code

I kinda wonder about performance - an extra hook call every create/update but I guess we already do the pre & post hook & it has caching but @totten do you have any thoughts on whether that should be a consideration?

I'll give it a final r-run if we confirm this & you also fix the one minor code comment above

[totten]

On the performance front... obviously, it's hard to say authoritative things without usage-profiles/benchmarks. My gut says:

• Agree it's ultimately useful to be able to extend access checks.
• Yes, it's OK to fire a hook during a read - if you're expecting 0-4 listeners, then the extra dispatch work isn't much.
• But, I'm skeptical about having the API issue sub-requests via AbstractAction::checkAccess() => civicrm_api4($entity,'checkAccess'). The problem is that API sub-requests are also deeply hookable, so it may fire another half-dozen events with 50 listeners. And basically all of them will be doing interest-checks to say "No, I don't have any interest in changing this API call".

It does seem that this arrangement allows you to have one implementation of checkAccess which is shared for both internal-consumers ($this->checkAccess()) as well as external-consumers (POST /civicrm/ajax/api4/Contact/checkAccess). That seems good. However, I think you could get this same consistency/sharing with less overhead -- e.g.

• Civi\Api4\Utils\CoreUtil::checkAccess() has your main access check (basically, moving the current CheckAccessAction::_run())
• Internal calls to $this->checkAccess()delegate to CoreUtil::checkAccess() (or are straight-up replaced by CoreUtil::checkAccess()).
• The public-facing CheckAccessAction::_run() delegates to CoreUtil::checkAccess().

In theory, this loses the ability to customize $this->checkAccess() for each entity. But I think maybe that's a good thing. There are currently 3 ways to customize checkAccess (impl hook_checkAccess, impl $baoName::checkAccess(), and impl MyAction::checkAccess()). Even if you drop MyAction::checkAccess() as a customization-point, you still have 2 more.

[colemanw]

That's a good suggestion @totten - while we're at it, the CoreUtil::checkAccess() could be the central place to dispatch your new civi.api4.validate event (which we might consider renaming to civi.api4.checkAccess).

[seamuslee001]

@colemanw I think test failures relate here

[colemanw]

This is now passing tests and also increases coverage by removing the early return in ACLPermissionTest.php

[eileenmcnaughton]

@jackrabbithanna FYI this might be useful to you once merged. The immediate use-case is to determine whether to permit edit-in-place on search results

[jackrabbithanna]

@eileenmcnaughton I've been watching this. Definitely thinking about its application for access control discussion https://github.com/eileenmcnaughton/civicrm_entity/issues/296

[totten]

@colemanw, a few things:

• Added a commit to normalize/improve some of the docblocks.

• Rebased to cleanup some commit messages ("getAccess"=>"checkAccess")

• We probably need some kind of test-coverage here. I've pushed a revision for APIv4's ConformanceTest which ensures that hook_checkAccess runs during some actions (and that &$granted is respected). On my local, this seemed to pass with most entities - by EntityTag and UFJoin failed. Here's the failure for EntityTag:

  TypeError: Argument 5 passed to CRM_Utils_Hook::checkAccess() must be of the type boolean, null given, called in /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/CRM/Core/DAO.php on line 3075
  
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/CRM/Utils/Hook.php:2103
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/CRM/Core/DAO.php:3075
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/Api4/Utils/CoreUtil.php:185
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/Api4/Generic/AbstractCreateAction.php:70
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/Api4/Generic/DAOCreateAction.php:51
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/Api4/Generic/DAOCreateAction.php:36
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/Api4/Provider/ActionObjectProvider.php:68
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/API/Kernel.php:149
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/Civi/Api4/Generic/AbstractAction.php:239
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/tests/phpunit/api/v4/Entity/ConformanceTest.php:269
  /home/totten/bknix/build/dmaster/web/sites/all/modules/civicrm/tests/phpunit/api/v4/Entity/ConformanceTest.php:152
  /home/totten/bknix/extern/phpunit6/phpunit6.phar:570
  

  It seems the handling of $granted changed a bit mid-patch? Most of the time, $granted is passed-by-reference, but for EntityTag (CRM_Core_DynamicFKAccessTrait) there's a case where it's @return bool. This fails b/c it returns a NULL. Maybe the signature should be lined-up better as part of a fix?

• I wasn't completely sure which actions are supposed to support hook_checkAccess, but (based on skimming CRM_Contact_BAO_Contact::_checkAccess()) it seems that at least 3 would be expected: create, get, delete. I also drafted a commit which tests it for get (9685ce6). However, I didn't push this up because it seems to fail across the board.

[totten]

Trying to get my head around the code, I made some notes which may be useful for anyone reading this:

• https://gist.github.com/totten/33102245d2db0a20a8724343aa65bb5e - Summarize the various new functions and their role/relation
• https://gist.github.com/totten/1ca3bb63a422f80c37a180f339e127d2 - Summarize list of action-classes and whether/how they support checkAccess

[eileenmcnaughton]

@colemanw @totten so status is that the unit test fails need addressing & this is more or less agreed?

I have come across a couple of things that might be able to leverage this but might require more thought

1. register for event - there are permission checks in the event registration forms to see if someone can register for an event & if they can register for the specific event. This is not an api action per se but it is in the larger space

2. CustomField::check() - I've been looking at this PR Respect ACL for multi-value custom field (originally PR#15347) #19026 & wondering if it could leverage the new api

[colemanw]

I think I fixed the test.

[eileenmcnaughton]

nope

[colemanw]

Jenkins couldn't apply the patch. I squashed a couple commits let's see if that helps.

[totten]

jenkins, test this please

[totten]

Replaced by #20533