/** * @param \Civi\API\Event\AuthorizeEvent $event * API authorization event. * * @throws \Civi\API\Exception\UnauthorizedException */ public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) { $apiRequest = $event->getApiRequest(); if ($apiRequest['version'] < 4) { // return early unless we’re told explicitly to do the permission check if (empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE) { $event->authorize(); $event->stopPropagation(); return; } require_once 'CRM/Core/DAO/permissions.php'; $permissions = _civicrm_api3_permissions($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']); // $params might’ve been reset by the alterAPIPermissions() hook if (isset($apiRequest['params']['check_permissions']) and $apiRequest['params']['check_permissions'] == FALSE) { $event->authorize(); $event->stopPropagation(); return; } if (!\CRM_Core_Permission::check($permissions) and !self::checkACLPermission($apiRequest)) { if (is_array($permissions)) { foreach ($permissions as &$permission) { if (is_array($permission)) { $permission = '( ' . implode(' or ', $permission) . ' )'; } } $permissions = implode(' and ', $permissions); } // FIXME: Generating the exception ourselves allows for detailed error // but doesn't play well with multiple authz subscribers. throw new \Civi\API\Exception\UnauthorizedException("API permission check failed for {$apiRequest['entity']}/{$apiRequest['action']} call; insufficient permission: require {$permissions}"); } $event->authorize(); $event->stopPropagation(); } }
/** * @param \Civi\API\Event\AuthorizeEvent $event */ public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) { $apiRequest = $event->getApiRequest(); if (isset($apiRequest['is_metadata'])) { // if (\CRM_Core_Permission::check('access AJAX API') || \CRM_Core_Permission::check('access CiviCRM')) { $event->authorize(); $event->stopPropagation(); // } } }
/** * @param \Civi\API\Event\AuthorizeEvent $event * API authorization event. */ public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent $event) { $apiRequest = $event->getApiRequest(); if ($this->matchesRequest($apiRequest) && \CRM_Core_Permission::check($this->actions[strtolower($apiRequest['action'])]['perm'])) { $event->authorize(); $event->stopPropagation(); } }