Merge pull request #714 from seamuslee001/check_perms_api4

Mention the change in behaviour around check permissions in APiv4 in …

Merge pull request #714 from seamuslee001/check_perms_api4
5080e861 · colemanw · GitHub · d78aab36 · a1cb62d0 · 5080e861
Unverified Commit 5080e861 authored 5 years ago by colemanw Committed by GitHub 5 years ago
--- a/docs/security/permissions.md
+++ b/docs/security/permissions.md
@@ -25,7 +25,17 @@ When you write code, you can look at `CRM_Core_Permission::check` to see if the

 ## API Permissions

-Depending on how the API is called, it is either called with a `check_permissions` flag turned off or turned on. When it is turned off, it will run the API without checking if the user has the necessary permissions to perform the action needed. If you turn `check_permissions` on then there will be tests done. By default code in CLI tools e.g. drush or WP-cli or within core code or extension code that is done at run time, the default in CiviCRM APIv3 is that the `check_permissions` flag is turned off. If you call the CiviCRM API through the rest interface then by default the `check_permissions` flag will be turned on. The permissions needed to make various API calls are defined in `CRM_Core_Permission::getEntityActionPermissions()`
+Depending on how the API is called, it is either called with a `check_permissions` flag turned on or turned off. When it is turned off, it will run the API call without checking if the user has the necessary permissions to perform the action(s) needed.
+
+If the API call is made with `check_permissions` turned on then the permissions of the user making the API call will be evaluated to ensure the user has the correct permissions to perform the action(s) they are attempting to. 
+
+The **APIv3** interfaces (JavaScript/PHP API interfaces) used by CLI tools (e.g: drush or WP-cli), CiviCRM Core and extensions by default run with the `check_permissions` flag turned off.
+
+The **APIv3** rest interface, however, defaults to running with the `check_permissions` flag turned on. 
+
+The permissions required to make various API calls are defined in [`CRM_Core_Permission::getEntityActionPermissions()`](https://lab.civicrm.org/dev/core/blob/master/CRM/Core/Permission.php#L935). 
+
+By default in **APIv4** the `check_permissions` flag is turned on regardless of the API interface being used, for further details see the [API wrapper differences between API v3 and APIv4](/api/v4/differences-with-v3.md#api-wrapper).

 ## Extending and Implementing Permission Structure {:#extensions}