Right now, there's no provision for allowing users who don't have "Access CiviCRM" permission to get information directly from the API using AJAX. (Though I know it's possible to write PHP that returns stuff from the API and call that.) I'd like to suggest creating a new permission that could be granted to users who should be able to get things through AJAX without granting them "Access CiviCRM".
To do so, there would need to be these changes:
- set up a new permission in CRM/Core/Permission.php to be called "use API AJAX get" or something similar
- edit the array of API permissions in CRM/Core/.permissions.php to replace "Access CiviCRM" with "use API AJAX get" for the get actions (assuming that one should need "Access CiviCRM" to do anything other than get)
- edit api/v3/utils.php to deal with users that have "Access CiviCRM" but not "use API AJAX get" (if a user doesn't have "use API AJAX get", it should check for "Access CiviCRM" and allow that to suffice)
- in the civicrm_menu table, change the access argument for civicrm/ajax/rest to "use API AJAX get" instead of "Access CiviCRM"
This opens the door to use the new hook_civicrm_alterAPIPermissions to fine-tune things. Right now, other users can't get a foot in the door.
Does this seem like a reasonable idea? Have I ignored some security hole? I can put together a patch if this seems worthwhile.