APIv4 - Remove gatekeeper permission check for AJAX api
authorcolemanw <coleman@civicrm.org>
Thu, 1 Jun 2023 13:24:52 +0000 (09:24 -0400)
committercolemanw <coleman@civicrm.org>
Fri, 9 Jun 2023 11:02:01 +0000 (07:02 -0400)
commit6d5d08f2d617f99209bd6d358402ccf74939362c
tree73e53d01bda3a921107907c2fa4f19f4c8eb2a25
parentce22d560010eb662fea5712452fc2c91be77b981
APIv4 - Remove gatekeeper permission check for AJAX api

Historically the AJAX api has required either 'access CiviCRM' or 'access AJAX API' as a broad hedge
against security vulnerabilities, but this interferes with legitimate use-cases for anonymous users
to make ajax requests. Since http requests are allowed by anon, and many Civi pages now contain
ajax elements, this PR replaces that broad hedge with unit tests for AJAX security.
CRM/Api4/Page/AJAX.php
CRM/Api4/Permission.php [deleted file]
CRM/Core/xml/Menu/Api4.xml
CRM/Utils/Hook.php
ext/afform/core/afform.php
ext/search_kit/search_kit.php
tests/phpunit/api/v4/Api4TestBase.php
tests/phpunit/api/v4/Request/AjaxTest.php [new file with mode: 0644]