From ca7b04422ebb0bc59f94419cfe065ad7496be956 Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Fri, 21 Jan 2022 12:08:28 -0500 Subject: [PATCH 1/2] SearchKit - Fix `checkEntityAccess` for anonymous users This function checks to see if a user has access to "get", but anonymous users might not even have access to check if they have access! --- Civi/Api4/Query/Api4SelectQuery.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Civi/Api4/Query/Api4SelectQuery.php b/Civi/Api4/Query/Api4SelectQuery.php index 82b835d5c2ea..f08bbbf6be8e 100644 --- a/Civi/Api4/Query/Api4SelectQuery.php +++ b/Civi/Api4/Query/Api4SelectQuery.php @@ -680,10 +680,16 @@ public function checkEntityAccess($entity) { return TRUE; } if (!isset($this->entityAccess[$entity])) { - $this->entityAccess[$entity] = (bool) civicrm_api4($entity, 'getActions', [ - 'where' => [['name', '=', 'get']], - 'select' => ['name'], - ])->first(); + try { + $this->entityAccess[$entity] = (bool) civicrm_api4($entity, 'getActions', [ + 'where' => [['name', '=', 'get']], + 'select' => ['name'], + ])->first(); + } + // Anonymous users might not even be allowed to use 'getActions' + catch (UnauthorizedException $e) { + $this->entityAccess[$entity] = FALSE; + } } return $this->entityAccess[$entity]; } From 2775280263cbf1d6474bbc89fdac598ce18a1830 Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Fri, 21 Jan 2022 15:00:35 -0500 Subject: [PATCH 2/2] SearchKit - Fix loading metadata for anonymous users The `checkPermissions` param was previously not getting copied into `$this->savedSearch['api_params']` which caused trouble for less- permissioned users, esp when the Run action is trying to internally load field metadata. --- .../Civi/Api4/Action/SearchDisplay/AbstractRunAction.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/search_kit/Civi/Api4/Action/SearchDisplay/AbstractRunAction.php b/ext/search_kit/Civi/Api4/Action/SearchDisplay/AbstractRunAction.php index f6957086d079..795bb7d4922d 100644 --- a/ext/search_kit/Civi/Api4/Action/SearchDisplay/AbstractRunAction.php +++ b/ext/search_kit/Civi/Api4/Action/SearchDisplay/AbstractRunAction.php @@ -115,7 +115,7 @@ public function _run(\Civi\Api4\Generic\Result $result) { throw new UnauthorizedException('Access denied'); } - $this->_apiParams['checkPermissions'] = empty($this->display['acl_bypass']); + $this->_apiParams['checkPermissions'] = $this->savedSearch['api_params']['checkPermissions'] = empty($this->display['acl_bypass']); $this->display['settings']['columns'] = $this->display['settings']['columns'] ?? []; $this->processResult($result);