Details
-
Type: Sub-task
-
Status: Done/Fixed
-
Priority: Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.4.1, 4.0.1
-
Component/s: CiviCRM API
-
Labels:None
Description
API 3 permissions, as implemented in CiviCRM 3.4.1/4.0.1, kick in unless $params['check_permissions'] is explicitly set to false for all API calls. This means that API calls made in anonymous context will fail the permission check (unless anonymous users have all the relevant permissions OR the API calls set check_permissions to false).
1. Revert this decision and check permissions only if check_permissions = true.
2. Enforce check_permissions = true for REST calls.