APIv4 does not respect hook permissions via searchkit
To Replicate git clone https://github.com/eileenmcnaughton/paymentsearch.git
- enable payment search extension
- go to Contributions->find payments, note that check numbers are populated
- create a user with permissions to all contacts & civiContribute but not 'adminster CiviCRM'
- note that use cannot see check numebrs at Contributions->find payments
Details
There is an issue for 'users who can see contributions should be able to see payments' (#2752 (closed)) - this is not that issue. This issue is 'an extension should be able to alter the permissions when core is too restrictive. Note I think this is a regression from a few months back
When APIv4 checks if it can load data from a related entity it calls getActions
if ($actionName != 'permissions' && $actionName != 'getInfo' && $actionName[0] != '_') {
$this->loadAction($actionName, $method);
}
Which determines the top-level permission to check via
Which calls
Unlike apiv3 this list of permissions is not filtered through the apiAlterPermissions
hook = the problem
@colemanw I see that the docs confirm this https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_alterAPIPermissions/ - but I don't understand how extensions are supposed to fix up permissions with apiv4