From 9e10c913757133eb740bd92c18a978c3b9aee7fb Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Sat, 4 Jun 2022 01:02:06 -0700
Subject: [PATCH] APIv4 - Allow creator to read `UserJob` and `Queue` records

Before
------

* `Queue.get` requires permission `administer queues`
* `UserJob.*` requires permission `access CiviCRM`, but it only
   returns records if where the `created_id` matches current-user

After
-----

* `Queue.get` and `UserJob.*` follow similar rules
* Users with permission `administer queues` can view all
* Users with permission `access CiviCRM` can view items where `created_id` matches current-user
---
 CRM/Core/BAO/UserJob.php |  6 +++++-
 CRM/Queue/BAO/Queue.php  | 10 ++++++++++
 Civi/Api4/Queue.php      |  1 +
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/CRM/Core/BAO/UserJob.php b/CRM/Core/BAO/UserJob.php
index 193d7186e09b..a8cafe65d721 100644
--- a/CRM/Core/BAO/UserJob.php
+++ b/CRM/Core/BAO/UserJob.php
@@ -32,7 +32,11 @@ class CRM_Core_BAO_UserJob extends CRM_Core_DAO_UserJob {
    * @inheritDoc
    */
   public function addSelectWhereClause(): array {
-    $clauses['created_id'] = '= ' . (int) CRM_Core_Session::getLoggedInContactID();
+    $clauses = [];
+    if (!\CRM_Core_Permission::check('administer queues')) {
+      $clauses['created_id'] = '= ' . (int) CRM_Core_Session::getLoggedInContactID();
+    }
+    CRM_Utils_Hook::selectWhereClause($this, $clauses);
     return $clauses;
   }
 
diff --git a/CRM/Queue/BAO/Queue.php b/CRM/Queue/BAO/Queue.php
index 35f8be2b9d5e..db62b4128915 100644
--- a/CRM/Queue/BAO/Queue.php
+++ b/CRM/Queue/BAO/Queue.php
@@ -20,6 +20,16 @@
  */
 class CRM_Queue_BAO_Queue extends CRM_Queue_DAO_Queue implements \Civi\Core\HookInterface {
 
+  public function addSelectWhereClause(): array {
+    $clauses = [];
+    if (!\CRM_Core_Permission::check('administer queues')) {
+      $cid = (int) CRM_Core_Session::getLoggedInContactID();
+      $clauses['id'] = "IN (SELECT queue_id FROM `civicrm_user_job` WHERE created_id = $cid)";
+    }
+    CRM_Utils_Hook::selectWhereClause($this, $clauses);
+    return $clauses;
+  }
+
   /**
    * Get a list of valid statuses.
    *
diff --git a/Civi/Api4/Queue.php b/Civi/Api4/Queue.php
index 86173f6d3c64..f50486245719 100644
--- a/Civi/Api4/Queue.php
+++ b/Civi/Api4/Queue.php
@@ -34,6 +34,7 @@ public static function permissions() {
     return [
       'meta' => ['access CiviCRM'],
       'default' => ['administer queues'],
+      'get' => ['access CiviCRM'],
       'runItem' => [\CRM_Core_Permission::ALWAYS_DENY_PERMISSION],
     ];
   }