Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-8011 API 3 permissions
  3. CRM-8061

Don't check API 3 permissions by default (except for REST calls)

    Details

    • Type: Sub-task
    • Status: Done/Fixed
    • Priority: Trivial
    • Resolution: Fixed/Completed
    • Affects Version/s: 3.4.1, 4.0.1
    • Fix Version/s: 3.4.2, 4.0.2
    • Component/s: CiviCRM API
    • Labels:
      None

      Description

      API 3 permissions, as implemented in CiviCRM 3.4.1/4.0.1, kick in unless $params['check_permissions'] is explicitly set to false for all API calls. This means that API calls made in anonymous context will fail the permission check (unless anonymous users have all the relevant permissions OR the API calls set check_permissions to false).

      1. Revert this decision and check permissions only if check_permissions = true.
      2. Enforce check_permissions = true for REST calls.

        Attachments

          Activity

            People

            • Assignee:
              shot Piotr Szotkowski
              Reporter:
              shot Piotr Szotkowski
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: