Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-12413

CiviCRM does not error on an api-key given through the REST interface that is not connected to a CMS user

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Trivial
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.3.1
          • Fix Version/s: 4.3.3
          • Component/s: CiviCRM API
          • Labels:

            Description

            When an api-key that is not attached to a CMS user is used with the REST interface, the CMS bootstrap will be skipped but the rest of the api call will continue. This would allow any contact given an api-key full access to civicrm through the api, and could also cause problems due to the CMS not being bootstrapped (won't affect every case, but if there is logic in a drupal module, it will fail to run for that contact's api calls).

              Attachments

                Activity

                  People

                  • Assignee:
                    timotten Tim Otten
                    Reporter:
                    colbyw Colby Warkentin
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: