Attachment API for event custom field gives: Failed to run Permissions checks
Summary
Retrieving the attachment with an (rest) API of a custom field connected to an event gives: Failed to run permission check: Unrecognized target entity table (civicrm_event). Even when I can retrieve the event with the API.
How to reproduce
- Create an custom group for Events.
- Create a custom field of type File in this custom group.
- Create an event and upload a file
- Create an api user, with an api key with permissions to retrieve the attachment
- Call Attachment.get with the id of the attachment uploaded to the event
Related issues/fixes
#690 (closed) - Support more entities in Attachment API by short-circuiting permission check which was fixed @pfigel
The casue of the problem
This permission error is caused by
Civi\Core\Container.php:
$dispatcher->addSubscriber(new \Civi\API\Subscriber\DynamicFKAuthorization(
$kernel,
'Attachment',
['create', 'get', 'delete'],
// Given a file ID, determine the entity+table it's attached to.
'SELECT if(cf.id,1,0) as is_valid, cef.entity_table, cef.entity_id
FROM civicrm_file cf
LEFT JOIN civicrm_entity_file cef ON cf.id = cef.file_id
WHERE cf.id = %1',
// Get a list of custom fields (field_name,table_name,extends)
'SELECT concat("custom_",fld.id) as field_name,
grp.table_name as table_name,
grp.extends as extends
FROM civicrm_custom_field fld
INNER JOIN civicrm_custom_group grp ON fld.custom_group_id = grp.id
WHERE fld.data_type = "File"
',
['civicrm_activity', 'civicrm_mailing', 'civicrm_contact', 'civicrm_grant']
));
See https://github.com/civicrm/civicrm-core/blob/master/Civi/Core/Container.php#L436
Possible solution
The sort solution is to add 'civicrm_event' to this array ['civicrm_activity', 'civicrm_mailing', 'civicrm_contact', 'civicrm_grant']. But then we have to add all entities which potentially could have a file custom field.