dev/core#2752 Use acl, not blanket permissions on FinancialAccount, FinancialType, EntityFinancialAccount #21181
Conversation
|
(Standard links)
|
eileenmcnaughton
force-pushed
the
perm3
branch
from
2078183
to
4164ed1
Compare
eileenmcnaughton
changed the title
eileenmcnaughton
force-pushed
the
perm3
branch
from
4164ed1
to
7188062
Compare
eileenmcnaughton
changed the title
eileenmcnaughton
force-pushed
the
perm3
branch
from
7188062
to
aa1565d
Compare
| @@ -1137,6 +1137,9 @@ public static function getEntityActionPermissions() { | |||
| $permissions['line_item'] = $permissions['contribution']; | |||
|
|
|||
| $permissions['financial_item'] = $permissions['contribution']; | |||
| $permissions['financial_type']['get'] = $permissions['contribution']['get']; | |||
There was a problem hiding this comment.
Initial test runs suggest that maybe we want the permissions of contribution.get OR 'Administer CiviCRM' (or 'Administer CiviCRM Data' which is implicit in Administer CiviCRM)
- since I guess lines like this suggest that we need to be careful not to reduce access
civicrm-core/CRM/Event/BAO/Event.php
Lines 2364 to 2366 in 0fba5cf
I just added error handling - but not 100% sure if that is enough forgiveness
eileenmcnaughton
force-pushed
the
perm3
branch
3 times, most recently
from
bde5c32
to
1704e38
Compare
| if (array_key_exists('CiviContribute', CRM_Core_Component::getEnabledComponents())) { | ||
| return CRM_Financial_BAO_FinancialType::getIncomeFinancialType(); | ||
| // if check_permission has been passed in (not Null) then restrict. | ||
| return CRM_Financial_BAO_FinancialType::getIncomeFinancialType($props['check_permissions'] ?? TRUE); |
There was a problem hiding this comment.
note I updated the v3 api to always set $props['check_permissions'] - the ?? will default to true if NULL but not if set to false
|
@seamuslee001 @colemanw @monishdeb this is passing now but I'm still trying to get my head around it. I guess before this change
That is not consistent with our model - our model is that checkPermissions = FALSE means 'don't check permissions at all' and checkPermissions = true means 'apply both entity level and acl level permissions' So with this change the requirement for the get is reduced to 'access CiviContribute' in order to make data available in search kit (eg. I implemented the permissions for I don't have to convert
So my 2 biggest doubts right now are
|
|
@seamuslee001 did you get another chance to think about this ? I'm hoping to get this merged before the rc is cut |
eileenmcnaughton
force-pushed
the
perm3
branch
from
1704e38
to
5d6fb58
Compare
eileenmcnaughton
force-pushed
the
perm3
branch
from
5d6fb58
to
65de244
Compare
eileenmcnaughton
force-pushed
the
perm3
branch
from
65de244
to
6a14095
Compare
…EntityFinancialAccount
eileenmcnaughton
force-pushed
the
perm3
branch
from
6a14095
to
87e130b
Compare
|
I'm going to merge this based on code review, solid test coverage, and the fact that it's been used in production for 6 months by WMF. |
Overview
Use acl, not blanket permissions on FinancialAccount, FinancialType, EntityFinancialAccount
https://lab.civicrm.org/dev/core/-/issues/2752
Before
API get calls for the FinancialAccount, FinancialType and EntityFinancialAccount entities fail due to the minimum permission being 'Administer CiviCRM'
After
If the contact has access CiviContribute permission that is enough for 'get'. However, the api results will be filtered by their permitted financial types. In the case of financial type this is a direct filter but in the case of financial account I have interpretted this as a filter on the associated income account
Technical Details
@seamuslee001 this is part of the issue I was pinging you about. I think this part is probably straight forward - it's the payments (the important part) that isn't so I'll leave out of scope for this PR
Comments