APIv4 - Allow creator to read UserJob and Queue records

[totten]

Overview

Refine the permissions for UserJob and Queue records.

ping @eileenmcnaughton

Before

• Queue.get requires permission administer queues
• UserJob.* requires permission access CiviCRM, but it only
  returns records if where the created_id matches current-user

After

• Queue.get and UserJob.* follow similar rules
• Users with permission administer queues can view all
• Users with permission access CiviCRM can view items where created_id matches current-user

Technical Details

To r-run, I followed this approach:

• Make sure the local deployment had 3 users admin, demo, advisor. The advisor has access CiviCRM but no other relevant permissions (eg administer CiviCRM, administer queues).
  • (Note: My local demo had some oddities in the civicrm_uf_match that needed to be cleaned-up before testing. This is entirely by-the-by.)
• Create a UserJob and associated Queue (eg api explorer)
• Alternate between CLI and SQL commands like:

  update civicrm_user_job set created_id = 123;
  update civicrm_user_job set created_id = 456;
  
  cv api4 -U advisor Queue.get checkPermissions=1 -T
  cv api4 -U admin Queue.get checkPermissions=1 -T
  cv api4 -U advisor UserJob.get checkPermissions=1 -T
  cv api4 -U admin UserJob.get checkPermissions=1 -T
  

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[eileenmcnaughton]

Yep - this looks right - & I think your r-run testing covers it