#4184 Fix Import over-authorization

250b13bc · Eileen McNaughton · ff32212b · 250b13bc
Commit 250b13bc authored 2 years ago by Eileen McNaughton
--- a/ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php
+++ b/ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php
@@ -104,7 +104,7 @@ class ImportSubscriber extends AutoService implements EventSubscriberInterface {
  public function onApiAuthorize(AuthorizeEvent $event): void {
    $apiRequest = $event->getApiRequest();
    $entity = $apiRequest['entity'];
-    if (strpos($entity, 'Import_') === 0) {
+    if (strpos($entity, 'Import_') === 0 && !in_array($event->getActionName(), ['getFields', 'getActions', 'checkAccess'], TRUE)) {
      $userJobID = (int) (str_replace('Import_', '', $entity));
      if (!UserJob::get(TRUE)->addWhere('id', '=', $userJobID)->selectRowCount()->execute()->count()) {
        throw new UnauthorizedException('Import access not permitted');