processGenericEntity() - To checkPermissions or not to checkPermissions?
While working on !17, I tangentially read Civi\Api4\Action\Afform\Submit::processGenericEntity()
and think I saw an issue.
Consider: when it delegates to civicrm_api4()
for the final updates, should that call specify checkPermission => FALSE
or checkPermissions => TRUE
?
Right now, it doesn't specify, which means checkPermissions=>TRUE
. That seems right for forms in which we "act as the current user" (e.g. backend admin managing constituents with a customized layout), but it doesn't feel right for forms in which we "allow a limited escalation" (e.g. anonymous user filling out a frontend lead-gen form with a few whitelisted fields). Given that the raison d'etre of Afform.prefill/Afform.submit
is to allow such escalations, it probably needs some way to toggle checkPermissions
...?