Proposal - add an optional access_arguments key to setting spec
Currently when calling Setting.get or Setting.getoptions you need 'administer CiviCRM' permission
I recently found that an angular form was broken for users without this & digging into it I'm using the hook as a short term solution - ie
if ($entity === 'setting' &&
(($action === 'get' && isset($params['return']) && $params['return'] === 'deduper_equivalent_name_handling')
|| ($action === 'getoptions' && $params['field'] === 'deduper_equivalent_name_handling'))
) {
$permissions['setting']['get'] = [['merge duplicate contacts', 'administer CiviCRM']];
}
But this relies on the setting being accessed this way - so it's very brittle. I'm not sold on just lowering the whole permission level.
My feeling is that we should extend the metadata spec - ie add optional key of
'access_arguments' => ['default' => 'be amazing', 'get' => 'be fair to middling']
- this would mean only amazing people can create the setting (when check_permissions are enabled) but fair to middling people could get the setting.
In all cases the default is still 'Administer CiviCRM' if nothing is set