DynamicFKAuthorization
in package
implements
EventSubscriberInterface
This is only used by the APIv3 "Attachment" entity.
APIv3 only.
Given an entity which dynamically attaches itself to another entity, determine if one has permission to the other entity.
Example: Suppose one tries to manipulate a File which is attached to a Mailing. DynamicFKAuthorization will enforce permissions on the File by imitating the permissions of the Mailing.
Note: This enforces a constraint: all matching API calls must define "id" (e.g. for the file) or "entity_table+entity_id" or "field_name+entity_id".
Note: The permission guard does not exactly authorize the request, but it may veto authorization.
Table of Contents
Interfaces
- EventSubscriberInterface
Properties
- $kernel : Kernel
- $actions : array<string|int, string>
- The actions for which we want to manage permissions
- $allowedDelegates : array<string|int, mixed>
- List of related tables for which FKs are allowed.
- $entityName : string
- The entity for which we want to manage permissions.
- $lookupCustomFieldCache : array<string|int, mixed>
- $lookupCustomFieldSql : string
- SQL SELECT query. Get a list of (field_name, table_name, extends) tuples.
- $lookupDelegateSql : string
- SQL SELECT query - Given a file ID, determine the entity+table it's attached to.
Methods
- __construct() : mixed
- authorizeDelegate() : mixed
- getCustomFields() : array<string|int, mixed>
- getDelegate() : array<string|int, mixed>
- getDelegatedAction() : string
- getDelegatedEntityName() : string|null
- getSubscribedEvents() : array<string|int, mixed>
- isTrusted() : bool
- onApiAuthorize() : mixed
- preventReassignment() : mixed
- If the request attempts to change the entity_table/entity_id of an existing record, then generate an error.
Properties
$kernel
public
Kernel
$kernel
Treat as private. Marked public due to PHP 5.3-compatibility issues.
$actions
The actions for which we want to manage permissions
protected
array<string|int, string>
$actions
$allowedDelegates
List of related tables for which FKs are allowed.
protected
array<string|int, mixed>
$allowedDelegates
$entityName
The entity for which we want to manage permissions.
protected
string
$entityName
$lookupCustomFieldCache
protected
array<string|int, mixed>
$lookupCustomFieldCache
Each item is an array(field_name => $, table_name => $, extends => $)
$lookupCustomFieldSql
SQL SELECT query. Get a list of (field_name, table_name, extends) tuples.
protected
string
$lookupCustomFieldSql
For example, one tuple might be ("custom_123", "civicrm_value_mygroup_4", "Activity").
$lookupDelegateSql
SQL SELECT query - Given a file ID, determine the entity+table it's attached to.
protected
string
$lookupDelegateSql
ex: "SELECT if(cf.id,1,0) as is_valid, cef.entity_table, cef.entity_id FROM civicrm_file cf INNER JOIN civicrm_entity_file cef ON cf.id = cef.file_id WHERE cf.id = %1"
Note: %1 is a parameter Note: There are three parameters
- is_valid: "1" if %1 identifies an actual record; otherwise "0"
- entity_table: NULL or the name of a related table
- entity_id: NULL or the ID of a row in the related table
Methods
__construct()
public
__construct(Kernel $kernel, string $entityName, array<string|int, mixed> $actions, string $lookupDelegateSql, string $lookupCustomFieldSql[, array<string|int, mixed>|null $allowedDelegates = NULL ]) : mixed
Parameters
- $kernel : Kernel
-
The API kernel.
- $entityName : string
-
The entity for which we want to manage permissions (e.g. "File" or "Note").
- $actions : array<string|int, mixed>
-
The actions for which we want to manage permissions (e.g. "create", "get", "delete").
- $lookupDelegateSql : string
-
See docblock in DynamicFKAuthorization::$lookupDelegateSql.
- $lookupCustomFieldSql : string
-
See docblock in DynamicFKAuthorization::$lookupCustomFieldSql.
- $allowedDelegates : array<string|int, mixed>|null = NULL
-
e.g. "civicrm_mailing","civicrm_activity"; NULL to allow any.
authorizeDelegate()
public
authorizeDelegate(string $action, string $entityTable, int|null $entityId, array<string|int, mixed> $apiRequest) : mixed
Parameters
- $action : string
-
The API action (e.g. "create").
- $entityTable : string
-
The target entity table (e.g. "civicrm_mailing").
- $entityId : int|null
-
The target entity ID.
- $apiRequest : array<string|int, mixed>
-
The full API request.
Tags
getCustomFields()
public
getCustomFields() : array<string|int, mixed>
Return values
array<string|int, mixed> —Each item has keys 'field_name', 'table_name', 'extends', 'entity_table'
getDelegate()
public
getDelegate(int $id) : array<string|int, mixed>
Parameters
- $id : int
-
e.g. file ID.
Tags
Return values
array<string|int, mixed> —(0 => bool $isValid, 1 => string $entityTable, 2 => int $entityId)
getDelegatedAction()
public
getDelegatedAction(string $action) : string
Parameters
- $action : string
-
API action name -- e.g. "create" ("When running create on a file...").
Return values
string —e.g. "create" ("Check for create permission on the mailing to which it is attached.")
getDelegatedEntityName()
public
getDelegatedEntityName(string $entityTable) : string|null
Parameters
- $entityTable : string
-
The target entity table (e.g. "civicrm_mailing" or "civicrm_activity").
Return values
string|null —The target entity name (e.g. "Mailing" or "Activity").
getSubscribedEvents()
public
static getSubscribedEvents() : array<string|int, mixed>
Return values
array<string|int, mixed>isTrusted()
public
isTrusted(array<string|int, mixed> $apiRequest) : bool
Parameters
- $apiRequest : array<string|int, mixed>
-
The full API request.
Return values
boolonApiAuthorize()
public
onApiAuthorize(AuthorizeEvent $event) : mixed
Parameters
- $event : AuthorizeEvent
-
API authorization event.
Tags
preventReassignment()
If the request attempts to change the entity_table/entity_id of an existing record, then generate an error.
public
preventReassignment(int $fileId, string $entityTable, int $entityId, array<string|int, mixed> $apiRequest) : mixed
Parameters
- $fileId : int
-
The main record being changed.
- $entityTable : string
-
The saved FK.
- $entityId : int
-
The saved FK.
- $apiRequest : array<string|int, mixed>
-
The full API request.