From c85dbf4ecbfadee8ecc199eaa3447981e21e03de Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 3 Feb 2021 18:59:12 -0800
Subject: [PATCH] (NFC) hook_civicrm_alterApiRoutePermissions - Expand on
 docblock

---
 CRM/Utils/Hook.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/CRM/Utils/Hook.php b/CRM/Utils/Hook.php
index 5c7324b2b0..2c0d195862 100644
--- a/CRM/Utils/Hook.php
+++ b/CRM/Utils/Hook.php
@@ -2788,6 +2788,22 @@ abstract class CRM_Utils_Hook {
   /**
    * Alter APIv4 route permissions based on the Entity and Action
    *
+   * This is an experimental hook intended to *relax* the requirement
+   * for "access AJAX API" when calling public-oriented APIs.
+   *
+   * Historically, when APIv2/v3 were first exposed to an HTTP interface, using
+   * the HTTP interface required an extra permission "access AJAX API". This is a
+   * broad hedge against security flaws within those API's. In the current APIv4
+   * era, security concerns are often baked into each API, so there is a debate about
+   * whether "access AJAX API" serves a purpose or just makes
+   * administration/development more complicated. (So far, there's more support
+   * for the latter.)
+   *
+   * This hook might foreseeably be abandoned either...
+   *
+   * - if it is found that "access AJAX API" guard is not needed for APIv4.
+   * - if the policy is moved into metadata.
+   *
    * @param array|string $permissions
    * @param string $entity
    * @param string $action
-- 
2.25.1