(regression) SearchKit doesn't handle delegated access permissions correctly
A git bisect traced this to https://github.com/civicrm/civicrm-core/pull/25969. It works in 5.60.
When a user does not have the 'all CiviCRM permissions and ACLs', making a contact field in-line editable that isn't on the primary entity causes a crash (and no search results returned).
Steps to Replicate
- Create a new user without 'all CiviCRM permissions and ACLs' permission, but otherwise an administrator. This may not be necessary on non-Drupal systems - but user 1 having all permissions blocks replication.
- Create the SearchKit query in the screenshot below (I've exported it for easier use).
- Create a table display, make the "Gender" field in-line editable.
- Press "Preview"
Expected Result You see search results.
Actual Result
500 error - getFieldValue failed
.
The issue is in CRM_Contact_BAO_Contact::_checkAccess()
. This attempts to access $record['id']
but after PR #25969, the record is passing id_01.id
.
[
[
"SavedSearch",
"save",
{
"records": [
{
"name": "delegated_permission_test",
"label": "delegated permission test",
"form_values": null,
"mapping_id": null,
"search_custom_id": null,
"api_entity": "Participant",
"api_params": {
"version": 4,
"select": [
"id",
"Participant_Contact_contact_id_01.display_name",
"Participant_Contact_contact_id_01.gender_id:label"
],
"orderBy": [],
"where": [],
"groupBy": [],
"join": [
[
"Contact AS Participant_Contact_contact_id_01",
"LEFT",
[
"contact_id",
"=",
"Participant_Contact_contact_id_01.id"
]
]
],
"having": []
},
"expires_date": null,
"description": null
}
]
}
],
[
"SearchDisplay",
"save",
{
"records": [
{
"name": "delegated_permission_test_Table_1",
"label": "delegated permission test Table 1",
"saved_search_id.name": "delegated_permission_test",
"type": "table",
"settings": {
"description": null,
"sort": [],
"limit": 50,
"pager": [],
"placeholder": 5,
"columns": [
{
"type": "field",
"key": "id",
"dataType": "Integer",
"label": "Participant ID",
"sortable": true
},
{
"type": "field",
"key": "Participant_Contact_contact_id_01.display_name",
"dataType": "String",
"label": "Participant Contact: Display Name",
"sortable": true,
"title": "Participant Contact: Display Name"
},
{
"type": "field",
"key": "Participant_Contact_contact_id_01.gender_id:label",
"dataType": "Integer",
"label": "Participant Contact: Gender",
"sortable": true,
"editable": true
}
],
"actions": true,
"classes": [
"table",
"table-striped"
]
},
"acl_bypass": false
}
]
}
]
]