Question/Discussion: Inconsistencies between "access CiviCRM" and "access AJAX API" permission grants?
Overview
We are developing client applications that integrate with CiviCRM via its API and the AuthX extension. This allows us to query the API as the user, rather than as the client applications.
Users of our client applications do not need, and should not have, the "access CiviCRM" permission. So we have been building our apps on the basis of using the "access AJAX API" permission instead.
Unfortunately, we have discovered that almost every API call involving core entities assumes "access CiviCRM" as the baseline permission for use. Group.get
, Participant.get
, etc., as defined in CRM/Core/Permission.php.
Perhaps we have mistakenly assumed that "access AJAX API" was designed as a functionally equivalent permission to "access CiviCRM", minus the CiviCRM UI access.
Should the "access AJAX API" permission have the same baseline (API) permissions as "access CiviCRM"?
(I see a bigger challenge for us here in terms of the range of permissions required for certain calls, eg. Participant.get requires 'access civicrm', 'access civievents', view all participants', but one problem at a time)
Reproduction steps
- Set up a user with an API key, etc., and a role that does not have the
access civicrm
permission but does have theacess ajax api
one - Query the API v3 REST endpoint with the user's credentials; eg. Group.get, Contact.get, etc.
- Get an API permissions error response
Current behaviour
Many/most API calls (at least Entity.get calls) made by users with only the 'access ajax api' call return a permissions denied error: 'require "access civicrm"
Expected behaviour
Many/most API calls made by these users should return results
Environment information
- CiviCRM: 5.49.5
- PHP: 7.4/
- CMS: Drupal 7.91/
- Database: MariaDB 10.4.21_