CiviCRM Community Forums (archive)

can u post a link tot the docs, so we have a better context of where that is made etc

lobo

The doc is here: http://wiki.civicrm.org/confluence/display/CRMDOC42/API+Security

The use case; A profile for an authenticated user to create a contact with several memberships. There is a select with options of Organizations that have membership types associated with them. The user selects an organization and then the membership type select is populated using AJAX. This user has no access to civicrm. This user only does data entry. The membership part of the profile are custom fields with the membership entry done in a custom module.

I have converted the AJAX api call to jquery ajax calling a custom php script that does the db fetches. This avoids the api permissioning .system

Thanks Xavier. That would work, but I don't have ssh access to the site (can't install civix). I've searched for a manual method for creating extensions, but have not found any yet.....

I did create an extension and implemented hook_civicrm_alterAPIPermissions setting $params['check_permissions'] = false; for my new entity. Works great. Thanks.

Did this example ever get posted somewhere? I'd love to see the real-life example!

Also, the page referenced (http://wiki.civicrm.org/confluence/display/CRMDOC42/API+Security) is for Civi 4.2 - and I haven't been able to find a 4.3 version of the page in the wiki, even though there's a rather important reference to changes made in the 4.3 API default permissions setup!

Permissions within API

When check_permissions is set to 1 then the contact calling the API will be checked to see if they have appropriate credentials.

Permissions used by each API action as set in the file CRM/Core/DAO/.permissions. As of 4.3 any api action not specifically defined there required 'Administer CiviCRM' access.

These permissions can be altered using the AlterAPIPermissions hook.

As of 4.3 the Contact-Get API also applies ACL permissions. So, a person will only have the records of the contacts they are permitted to see returned. Only fields explicitly declared in getfields may be returned (the return param can not be manipulated to get extra fields).

Hi

I'm on drupal and I have problems as well with the ajax api permissions:

I have a view, where I want to get the OptionValues to use as options in a select form. I have this script fetching the optionValues:

CRM.api('OptionValue', 'get', {'sequential': 1, 'option_group_id': 87},
     {success: function(data) { // doing stuff ...
It works great for me, the admin, but for another user role, having permissions "access civicrm" and "acces AJAX API", I get this error:
API permission check failed for OptionValue/get call; missing permission: administer CiviCRM.

So I created a custom module to stop checking for permissions when calling for those optionvalues (following the example from the wiki):
function mymodule_civicrm_alterAPIPermissions($entity, $action, &$params, &$permissions)
{
    // skip permission checks for optionvalue get calls
    // note: unsetting the below would require the default ‘access CiviCRM’ permission
    $permissions['optionvalue']['get'] = array();

    // the above didn't work, so I tried this as well
    if ($entity == 'OptionValue' and $action == 'get' and $params['option_group_id'] == '87') {
        $params['check_permissions'] = false;
    }

}

Alas - I cannot get it to work. Any clues on what I am missing?

Checked, and it's here - or I mean there - it get's called.
It's a drupal module, so not a module of civi extension