dev/core#4184 Fix Import over-authorization

civicrm · Mar 15, 2023 · 250b13b · 250b13b
1 parent ff32212
commit 250b13b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php b/ext/civiimport/Civi/Api4/Event/Subscriber/ImportSubscriber.php
@@ -104,7 +104,7 @@ public function on_hook_civicrm_post(PostEvent $event): void {
   public function onApiAuthorize(AuthorizeEvent $event): void {
     $apiRequest = $event->getApiRequest();
     $entity = $apiRequest['entity'];
-    if (strpos($entity, 'Import_') === 0) {
+    if (strpos($entity, 'Import_') === 0 && !in_array($event->getActionName(), ['getFields', 'getActions', 'checkAccess'], TRUE)) {
       $userJobID = (int) (str_replace('Import_', '', $entity));
       if (!UserJob::get(TRUE)->addWhere('id', '=', $userJobID)->selectRowCount()->execute()->count()) {
         throw new UnauthorizedException('Import access not permitted');