Commit 0e4ba120 authored by totten's avatar totten
Browse files

Afform.{prefill,submit} - APIs should respect `permission`

parent 5b87b056
......@@ -35,6 +35,12 @@ abstract class AbstractProcessor extends \Civi\Api4\Generic\AbstractAction {
public function _run(Result $result) {
// This will throw an exception if the form doesn't exist
$this->_afform = (array) civicrm_api4('Afform', 'get', ['checkPermissions' => FALSE, 'where' => [['name', '=', $this->name]]], 0);
if ($this->getCheckPermissions()) {
if (!\CRM_Core_Permission::check("@afform:" . $this->_afform['name'])) {
throw new \Civi\API\Exception\UnauthorizedException("Authorization failed: Cannot process form " . $this->_afform['name']);
}
}
$this->_formDataModel = FormDataModel::create($this->_afform['layout']);
$this->validateArgs();
$result->exchangeArray($this->processForm());
......
......@@ -71,6 +71,42 @@ EOHTML;
$this->assertEquals('Lasty', $contact['last_name']);
}
public function testAboutMeForbidden() {
$this->useValues([
'layout' => self::$layouts['aboutMe'],
'permission' => CRM_Core_Permission::ALWAYS_DENY_PERMISSION,
]);
$this->createLoggedInUser();
CRM_Core_Config::singleton()->userPermissionTemp = new CRM_Core_Permission_Temp();
try {
Civi\Api4\Afform::prefill()
->setName($this->formName)
->setArgs([])
->execute()
->indexBy('name');
$this->fail('Expected authorization exception from Afform.prefill');
}
catch (\Civi\API\Exception\UnauthorizedException $e) {
$this->assertRegExp(';Authorization failed: Cannot process form mock\d+;', $e->getMessage());
}
try {
Civi\Api4\Afform::submit()
->setName($this->formName)
->setArgs([])
->setValues([
'does.n' => 'tmatter',
])
->execute();
$this->fail('Expected authorization exception from Afform.submit');
}
catch (\Civi\API\Exception\UnauthorizedException $e) {
$this->assertRegExp(';Authorization failed: Cannot process form mock\d+;', $e->getMessage());
}
}
protected function useValues($values) {
$defaults = [
'title' => 'My form',
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment