Auto-complete option values aren't available to anonymous users
Overview
A custom field of input type "Autocomplete-Select" doesn't return results for anonymous users, even with the "Access AJAX API" permission granted.
Reproduction steps
- Change an existing field (e.g. "Soup Selection") from Dropdown to Autocomplete-Select.
- Add the field to a profile on a public-facing event page.
- Grant the anonymous user the Access AJAX API permission.
- View as an anonymous user.
Current behaviour
No results are returned.
Expected behaviour
Results are returned, as they are with a "Dropdown" input type.
Comments
The error is that anonymous users don't have access to the "Optionvalue.getlist" API because it requires "Access CiviCRM". This seems like the wrong permission; I think "Access AJAX API" should be sufficient. From a UX perspective, it's pretty inconsistent that a Select works but not an Autocomplete-Select.
I'm proposing that we allow anonymous users to access OptionValue.get - I'm interested in whether there are use cases where this results in an information disclosure vulnerability. I can't think of any myself.