Make StripePaymentintent.ProcessPublic conditional on 'make online contributions' permission

Civi/Api4/StripePaymentintent.php

@@ -13,7 +13,10 @@ class StripePaymentintent extends Generic\DAOEntity {
   public static function permissions() {
     $permissions = parent::permissions();
     $permissions['processMOTO'] = ['allow stripe moto payments'];
-    $permissions['processPublic'] = [\CRM_Core_Permission::ALWAYS_ALLOW_PERMISSION];
+    // The "minimum" permission for an API4 call is "access CiviCRM"|"access AJAX API".
+    // We can't remove the requirement for one of those permissions here.
+    // So we specify only 'make online contributions' using alterAPIRoutePermissions hook.
+    // $permissions['processPublic'] = ['make online contributions'];
     return $permissions;
   }
 

docs/faqs.md

+# FAQ
+
+## Permissions
+
+To accept payments using Stripe you must have "make online contributions" permission enabled.
+No other permissions are required.
+
 ## Terminology
 
 #### CiviCRM <=> Stripe

stripe.php

@@ -255,3 +255,18 @@ function stripe_civicrm_permission(&$permissions) {
     $permissions['allow stripe moto payments'] = E::ts('CiviCRM Stripe: Process MOTO transactions');
   }
 }
+
+/**
+ * Implements hook_civicrm_alterApiRoutePermissions().
+ *
+ * @see CRM_Utils_Hook::alterApiRoutePermissions
+ */
+function stripe_civicrm_alterApiRoutePermissions(&$permissions, $entity, $action) {
+  if ($entity == 'StripePaymentintent') {
+    // These actions should be accessible to anonymous users; permissions are checked internally
+    $allowedActions = ['ProcessPublic'];
+    if (in_array($action, $allowedActions, TRUE)) {
+      $permissions = 'make online contributions';
+    }
+  }
+}