1. class
  2. Civi
  3. \
  4. API
  5. \
  6. Subscriber
  7. \
  8. DynamicFKAuthorization

DynamicFKAuthorization

class DynamicFKAuthorization implements EventSubscriberInterface

Given an entity which dynamically attaches itself to another entity, determine if one has permission to the other entity.

Example: Suppose one tries to manipulate a File which is attached to a Mailing. DynamicFKAuthorization will enforce permissions on the File by imitating the permissions of the Mailing.

Note: This enforces a constraint: all matching API calls must define "id" (e.g. for the file) or "entity_table+entity_id" or "field_name+entity_id".

Note: The permission guard does not exactly authorize the request, but it may veto authorization.

Properties

Kernel $kernel
protected string, $entityName
protected array $actions
protected string, $lookupDelegateSql
protected string, $lookupCustomFieldSql
protected array $lookupCustomFieldCache
protected array $allowedDelegates

Methods

static array
getSubscribedEvents()

No description

__construct(Kernel $kernel, string $entityName, array $actions, string $lookupDelegateSql, string $lookupCustomFieldSql, array|NULL $allowedDelegates = NULL)

No description

onApiAuthorize(AuthorizeEvent $event)

No description

authorizeDelegate(string $action, string $entityTable, int|null $entityId, array $apiRequest)

No description

preventReassignment(int $fileId, string $entityTable, int $entityId, array $apiRequest)

If the request attempts to change the entity_table/entity_id of an existing record, then generate an error.

string|NULL
getDelegatedEntityName(string $entityTable)

No description

string
getDelegatedAction(string $action)

No description

array
getDelegate(int $id)

No description

bool
isTrusted(array $apiRequest)

No description

array
getCustomFields()

No description

Details

at line 53
static array getSubscribedEvents()

Return Value

array

at line 130
__construct(Kernel $kernel, string $entityName, array $actions, string $lookupDelegateSql, string $lookupCustomFieldSql, array|NULL $allowedDelegates = NULL)

Parameters

Kernel $kernel The API kernel.
string $entityName The entity for which we want to manage permissions (e.g. "File" or "Note").
array $actions The actions for which we want to manage permissions (e.g. "create", "get", "delete").
string $lookupDelegateSql See docblock in DynamicFKAuthorization::$lookupDelegateSql.
string $lookupCustomFieldSql See docblock in DynamicFKAuthorization::$lookupCustomFieldSql.
array|NULL $allowedDelegates e.g. "civicrm_mailing","civicrm_activity"; NULL to allow any.

at line 145
onApiAuthorize(AuthorizeEvent $event)

Parameters

AuthorizeEvent $event API authorization event.

Exceptions

API_Exception
UnauthorizedException

at line 211
authorizeDelegate(string $action, string $entityTable, int|null $entityId, array $apiRequest)

Parameters

string $action The API action (e.g. "create").
string $entityTable The target entity table (e.g. "civicrm_mailing").
int|null $entityId The target entity ID.
array $apiRequest The full API request.

Exceptions

Exception
API_Exception
UnauthorizedException

at line 266
preventReassignment(int $fileId, string $entityTable, int $entityId, array $apiRequest)

If the request attempts to change the entity_table/entity_id of an existing record, then generate an error.

Parameters

int $fileId The main record being changed.
string $entityTable The saved FK.
int $entityId The saved FK.
array $apiRequest The full API request.

Exceptions

API_Exception

at line 284
string|NULL getDelegatedEntityName(string $entityTable)

Parameters

string $entityTable The target entity table (e.g. "civicrm_mailing" or "civicrm_activity").

Return Value

string|NULL The target entity name (e.g. "Mailing" or "Activity").

at line 304
string getDelegatedAction(string $action)

Parameters

string $action API action name -- e.g. "create" ("When running create on a file...").

Return Value

string e.g. "create" ("Check for create permission on the mailing to which it is attached.")

at line 328
array getDelegate(int $id)

Parameters

int $id e.g. file ID.

Return Value

array (0 => bool $isValid, 1 => string $entityTable, 2 => int $entityId)

Exceptions

Exception

at line 356
bool isTrusted(array $apiRequest)

Parameters

array $apiRequest The full API request.

Return Value

bool

at line 365
array getCustomFields()

Return Value

array Each item has keys 'field_name', 'table_name', 'extends', 'entity_table'