SearchKit: Directive Filters can fail with non-privileged user
It's possible to get a "Authorization Failed" error as a non-privileged user, even when ACL bypass is enabled. It requires you filter on an entity that has a labelField
defined in the XML schema.
Steps to replicate: Import the SK/Afform below. Or manually:
- Create a SK query of an entity that contains a labelField. "Countries" works well. No added WHERE, columns, etc. are necessary.
- Create a table display of this SK query. Enable ACL bypass.
- Create an Afform of the table display. Give it a path, make accessible on the front end, use a permission available to anonymous users (e.g. "make online contributions").
- On the second tab of the Afform, add a filter on the id, getting it from the URL.
- Once you have the afform in place, visit it as both an admin and anonymous user, both with and without filters. Admin users get all results without a filter, and a single result with a filter. Anonymous users can (correctly) get all results without a filter, but adding a filter results in an "Authorization failed" error on the API call.
This happens because there's an API call made where checkPermissions
is set to whether the SK query should check permissions, but doesn't consider whether an ACL bypass is in place.
[
[
"SavedSearch",
"save",
{
"records": [
{
"name": "d2_test",
"label": "d2 test",
"form_values": null,
"mapping_id": null,
"search_custom_id": null,
"api_entity": "Country",
"api_params": {
"version": 4,
"select": [
"id",
"name"
],
"orderBy": [],
"where": [],
"groupBy": [],
"join": [],
"having": []
},
"expires_date": null,
"description": null
}
],
"match": [
"name"
]
}
],
[
"SearchDisplay",
"save",
{
"records": [
{
"name": "d2_test_Table_1",
"label": "d2 test Table 1",
"saved_search_id.name": "d2_test",
"type": "table",
"settings": {
"description": null,
"sort": [],
"limit": 50,
"pager": [],
"placeholder": 5,
"columns": [
{
"type": "field",
"key": "id",
"dataType": "Integer",
"label": "Country ID",
"sortable": true
},
{
"type": "field",
"key": "name",
"dataType": "String",
"label": "Country",
"sortable": true
}
],
"actions": true,
"classes": [
"table",
"table-striped"
]
},
"acl_bypass": true
}
],
"match": [
"name",
"saved_search_id"
]
}
],
[
"Afform",
"save",
{
"records": [
{
"name": "afsearchD2TestAfform",
"requires": [],
"title": "d2 test afform",
"description": "",
"is_dashlet": false,
"is_public": true,
"is_token": false,
"permission": "make online contributions",
"type": "search",
"icon": "fa-list-alt",
"server_route": "civicrm/d2",
"entity_type": null,
"join_entity": null,
"contact_summary": null,
"summary_contact_type": null,
"redirect": null,
"create_submission": null,
"navigation": null,
"layout": "<div af-fieldset=\"\">\n <crm-search-display-table search-name=\"d2_test\" display-name=\"d2_test_Table_1\" filters=\"{id: routeParams.id}\"></crm-search-display-table>\n</div>\n"
}
]
}
]
]