SearchKit - Bypass ACLs for entity displays and require super-admin permission

[colemanw]

Overview

Prevents a crash when rebuilding a SearchKit entity display from a cron job or when run by a less-permissioned user. Ensures consistent results of entity displays regardless of logged-in user.

Technical Details

Entity displays are tables/views built from a query. They should always return the same results regardless of the logged-in user, therefore those user ACLs should not be part of the query.

This switches such displays to always bypass permission checks. And like any other display with acl_bypass, they now require the super-admin permission to create or edit such displays. This prevents any unwanted access by less-permissioned users.

[civibot]

🤖 Thank you for contributing to CiviCRM! ❤️ We will need to test and review this PR. 👷

Introduction for new contributors...

• If this is your first PR, an admin will greenlight automated testing with the command ok to test or add to whitelist.
• A series of tests will automatically run. You can see the results at the bottom of this page (if there are any problems, it will include a link to see what went wrong).
• A demo site will be built where anyone can try out a version of CiviCRM that includes your changes.
• If this process needs to be repeated, an admin will issue the command test this please to rerun tests and build a new demo site.
• Before this PR can be merged, it needs to be reviewed. Please keep in mind that reviewers are volunteers, and their response time can vary from a few hours to a few weeks depending on their availability and their knowledge of this particular part of CiviCRM.
• A great way to speed up this process is to "trade reviews" with someone - find an open PR that you feel able to review, and leave a comment like "I'm reviewing this now, could you please review mine?" (include a link to yours). You don't have to wait for a response to get started (and you don't have to stop at one!) the more you review, the faster this process goes for everyone 😄
• To ensure that you are credited properly in the final release notes, please add yourself to contributor-key.yml
• For more information about contributing, see CONTRIBUTING.md.

Quick links for reviewers...

• ➡️ PR Demo site (can be rebuilt with the command test this please).
• 📖 Review standards
• 🗒️ Review template (brief or verbose)

➡️ Online demo of this PR 🔗

[ufundo]

what if superadmin creates the entity display, then a non-super admin tries to edit the same saved search?

[colemanw]

@ufundo non-super-admins won't be allowed to edit the search or the display.

[ufundo]

And like any other display with acl_bypass, they now require the super-admin permission to create or edit such displays. This prevents any unwanted access by less-permissioned users.

Can a non-super admin edit the Saved Search, and thereby sneak something else out?

Ensures consistent results of entity displays regardless of logged-in user.

A bit tangential, but do we block using user_contact_id value in the saved search?

[colemanw]

@ufundo good questions.

Can a non-super admin edit the Saved Search, and thereby sneak something else out?

No, they can't. See https://github.com/civicrm/civicrm-core/pull/35629/changes#diff-1ee3649dbd3ff87b7a414c8c76dbdee26b62185742b3301587b74cd0d6dd8e72R84

A bit tangential, but do we block using user_contact_id value in the saved search?

Yes, once #35613 is merged we do.

[ufundo]

Thanks @colemanw

I've r-run and couldn't find a way to edit anything I shouldn't