Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Won't Fix
-
Affects Version/s: 4.5.8
-
Fix Version/s: Unscheduled
-
Component/s: CiviCRM API
-
Labels:
-
Documentation Required?:None
-
Funding Source:Contributed Code
Description
The REST API can't access contacts if the user in question has access to them purely via an ACL. So in practice all REST API users need to be admins or to have the 'view all contacts' permission.
StackExchange issue here: http://civicrm.stackexchange.com/questions/4515/rest-api-and-acls-should-the-api-return-contacts-made-accessible-via-an-acl. Probably affects 4.6.x too, but I can't verify that on the demo site.
It's because the REST API code in Utils/REST.php converts the incoming request into a regular API request. and this in turn tries to get the contact ID from the logged in user. There inherently isn't a logged in user, so this gets set to 0. So the ACL checks can't run properly.
I have a fairly awful hacky fix that I'll turn into a PR, but I'm pretty sure it's not a good approach - it just duplicates the REST contact ID checks in the middle of the ACL process.
Attachments
Issue Links
- links to