Merge pull request #25810 from eileenmcnaughton/import_subscriber

#4184 Fix Import over-authorization

ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php

@@ -104,7 +104,7 @@ class ImportSubscriber extends AutoService implements EventSubscriberInterface {
   public function onApiAuthorize(AuthorizeEvent $event): void {
     $apiRequest = $event->getApiRequest();
     $entity = $apiRequest['entity'];
-    if (strpos($entity, 'Import_') === 0) {
+    if (strpos($entity, 'Import_') === 0 && !in_array($event->getActionName(), ['getFields', 'getActions', 'checkAccess'], TRUE)) {
       $userJobID = (int) (str_replace('Import_', '', $entity));
       if (!UserJob::get(TRUE)->addWhere('id', '=', $userJobID)->selectRowCount()->execute()->count()) {
         throw new UnauthorizedException('Import access not permitted');