Skip to content

System.check permissions changed in Civi 5.46

This is a regression, but most folks aren't going to see this.

PR 22369 adds a new system check to ensure dedupe rules are present. However, it makes an API4 call without bypassing a permission check.

Most of the time you need "Administer CiviCRM" to run System.check so this is usually fine. However, I have an extension that creates a custom permission that can also be used. This allows me to monitor CiviCRM remotely without storing an API key for an admin account on my monitoring server. So on 5.46 that user gets "authorization failed" when I run System.check.

Given the non-sensitive nature of this data, and the fact that someone must have permission to run System.check, I think it makes sense for this API call to bypass the permission check.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information