projects / civicrm-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ce22d56) | patch
APIv4 - Remove gatekeeper permission check for AJAX api
authorcolemanw <coleman@civicrm.org>
Thu, 1 Jun 2023 13:24:52 +0000 (09:24 -0400)
committercolemanw <coleman@civicrm.org>
Fri, 9 Jun 2023 11:02:01 +0000 (07:02 -0400)
commit6d5d08f2d617f99209bd6d358402ccf74939362c
tree73e53d01bda3a921107907c2fa4f19f4c8eb2a25tree | snapshot (zip tar.gz)
parentce22d560010eb662fea5712452fc2c91be77b981commit | diff
APIv4 - Remove gatekeeper permission check for AJAX api

Historically the AJAX api has required either 'access CiviCRM' or 'access AJAX API' as a broad hedge
against security vulnerabilities, but this interferes with legitimate use-cases for anonymous users
to make ajax requests. Since http requests are allowed by anon, and many Civi pages now contain
ajax elements, this PR replaces that broad hedge with unit tests for AJAX security.
CRM/Api4/Page/AJAX.php diff | blob | blame | history
CRM/Api4/Permission.php [deleted file] blob | blame | history
CRM/Core/xml/Menu/Api4.xml diff | blob | blame | history
CRM/Utils/Hook.php diff | blob | blame | history
ext/afform/core/afform.php diff | blob | blame | history
ext/search_kit/search_kit.php diff | blob | blame | history
tests/phpunit/api/v4/Api4TestBase.php diff | blob | blame | history
tests/phpunit/api/v4/Request/AjaxTest.php [new file with mode: 0644] blob