Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
C
Core
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,012
    • Issues 1,012
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • Development
  • Core
  • Issues
  • #1205

Closed
Open
Created Aug 23, 2019 by jaapjansma@jaapjansmaDeveloper

Attachment API for event custom field gives: Failed to run Permissions checks

Summary

Retrieving the attachment with an (rest) API of a custom field connected to an event gives: Failed to run permission check: Unrecognized target entity table (civicrm_event). Even when I can retrieve the event with the API.

How to reproduce

  1. Create an custom group for Events.
  2. Create a custom field of type File in this custom group.
  3. Create an event and upload a file
  4. Create an api user, with an api key with permissions to retrieve the attachment
  5. Call Attachment.get with the id of the attachment uploaded to the event

Related issues/fixes

#690 (closed) - Support more entities in Attachment API by short-circuiting permission check which was fixed @pfigel

The casue of the problem

This permission error is caused by

Civi\Core\Container.php:


    $dispatcher->addSubscriber(new \Civi\API\Subscriber\DynamicFKAuthorization(
      $kernel,
      'Attachment',
      ['create', 'get', 'delete'],
      // Given a file ID, determine the entity+table it's attached to.
      'SELECT if(cf.id,1,0) as is_valid, cef.entity_table, cef.entity_id
         FROM civicrm_file cf
         LEFT JOIN civicrm_entity_file cef ON cf.id = cef.file_id
         WHERE cf.id = %1',
      // Get a list of custom fields (field_name,table_name,extends)
      'SELECT concat("custom_",fld.id) as field_name,
        grp.table_name as table_name,
        grp.extends as extends
       FROM civicrm_custom_field fld
       INNER JOIN civicrm_custom_group grp ON fld.custom_group_id = grp.id
       WHERE fld.data_type = "File"
      ',
      ['civicrm_activity', 'civicrm_mailing', 'civicrm_contact', 'civicrm_grant']
    ));

See https://github.com/civicrm/civicrm-core/blob/master/Civi/Core/Container.php#L436

Possible solution

The sort solution is to add 'civicrm_event' to this array ['civicrm_activity', 'civicrm_mailing', 'civicrm_contact', 'civicrm_grant']. But then we have to add all entities which potentially could have a file custom field.

@eileen, @colemanw @pfigel what do you think?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
5.20.0
Milestone
5.20.0
Assign milestone
Time tracking
None
Due date
None