civi.api4.authorizeRecord¶
Summary¶
This Symfony event determines if the current user has write access to a given record. It is dispatched when checking permissions for write operations (create, update, delete) in APIv4. It does not affect read access for get actions.
Definition¶
This event is dispatched via the Symfony EventDispatcher.
public static function onApi4AuthorizeRecord(\Civi\Api4\Event\AuthorizeRecordEvent $event): void
Parameters¶
\Civi\Api4\Event\AuthorizeRecordEvent $event
Event Methods¶
getApiRequest():\Civi\Api4\Generic\AbstractAction|array- Returns the full API request object or description array.getApiRequestSig():string- Returns a brief string signature identifying the entity/action (e.g.'3.contact.get').getEntityName():string- Returns the name of the entity being acted on (e.g.'Contact','Activity').getActionName():string- Returns the APIv4 action name (e.g.'create','update').getRecord():array- Returns all known or loaded values of the individual record being accessed. Guard code appropriately as the record may be incomplete (but should contain anid).getUserID():int- Returns the contact ID of the active/target user whose access is being checked. Returns0for anonymous users.isAuthorized():bool|null- Returnstrueif authorized,falseif explicitly prohibited, ornullif not yet determined.setAuthorized(?bool $authorized):self- Explicitly changes the authorization status.authorize():self- Marks the request as authorized (sets status totrue).
Example¶
use Civi\Api4\Event\AuthorizeRecordEvent;
public static function onApi4AuthorizeRecord(AuthorizeRecordEvent $event): void {
// Check if we are updating a specific type of event
if ($event->getEntityName() === 'Event' && $event->getActionName() === 'update') {
$record = $event->getRecord();
$userId = $event->getUserID();
// Custom check: only allow updating if the user is the event creator/owner
if (isset($record['created_id']) && $record['created_id'] == $userId) {
$event->authorize();
} else {
$event->setAuthorized(false);
}
}
}