CiviCRM Community Forums (archive)

Hello,

I'm currently working on developing a mobile app that will be able to access the CiviCRM Database (using the ajax API).  I understand that this requires CMS authentication (I'm using Joomla!), but I was wondering if you could do this without logging into the back end.  I'm not exactly sure how the AJAX authentication works, and what sort of login type is required.

Currently I've tried logging into the CMS through the frontend (as a Super User with all permissions), and the authentication doesn't work. However, when I log into the backend, and try to access the mobile app, the authentication DOES work.  I was wondering if there's a way to log into the front end and still having the authentication needed to access the API.  I've played with the ACL on Joomla!, but this hasn't helped at all.  Even when I grant a user ALL permissions in CiviCRM AND the rest of the site and they log into the front end, the user still cannot access the API.  The only way they can access the information in the mobile client (through the rest API), is if they're logged into the back end.  I was wondering if there's a way around this.

the site in question:
http://civicrmmobile.cloudaccess.net/

If you just log into the frontend, you cannot access the database from the mobile client, but if you log into the backend, you can.

Thanks for your time.

@bstalcup, if you create a contact who has permissions to access the contacts you need, you can access the JSON API using an API key.

Your mobile app needs three values - URL of API endpoint, site key (in civicrm.settings.php), api_key (in civicrm_contact table), API key means the permissions of the device owner can be applied.

Create URL with API endpoint, entity (type) & action: /civicrm/ajax/rest?entity=Contact&action=get

Then POST the rest of your values: api_key=abc&site_key=def&id=123

See class.api.php for examples (there are a few more settings like debug=1 & json=1 which you'll probably want to set).

The API guide in the developer handbook ("Calling the API from an external server via the REST API") talks about initialising a session, but AFAIK you can skip that and just post the API key every time so there's no need to store the session key locally or do session init.

check_permissions=0 only works from within the CMS (if you can execute php, the permissions system isn't going to help much)

Via http (to civicrm/ajax or rest.php) a flag like check_permissions=0 would bypass all of the built in security, which wouldn't be very good news

Instead those entry points require either a session ID already configured, or an API key.

It should be possible, I use the same kind of setup (but with Drupal) to synchronize data between different systems. I know the CiviMobile attempts use the API too. Security is not my topic....
In the setups I work with I do not use the check_permissions. Did you have a look at the CiviMobile code already present on GitHub?

The problem I'm encountering is that in Joomla you can log in as BOTH a user AND an admin (in different locations).  And you have to be logged in as an admin in order for the ajax authentication to work.  I was wondering if there was a way to authenticate a regular user, and not an admin. 

OK, they are two (confusingly named almost the same) methods:

the REST one in rest.php. it's made to let an external trusted server access civicrm and uses key+api_key as authentication

the ajax one, that uses civicrm/ajax/rest. it's made to be accessed from the browser by users that are already authenticated (and it uses the user session to authenticate)

In the REST, we strongly suggest to use POST, not GET so the key isn't in the url, but we don't ban the practice of using GET (yet at least). You should use post instead of get, it works all the time and they are little reasons of using get.

in ajax, we suggest to use the CRM.api wrapper, that puts the right params wherever needed so you don't have to think about it.

If you need all your users to be able to access ajax via the browser, you shouldn't use the rest (api key) interface but the ajax one.

They might be a fix needed to make civicrm/ajax/rest working in joomla via the front-end, would be great if you could investigate.

X+

Also - Trouble finding a document that it explains how to generate an API key for each user.  Do you just add directly to the database?  Is it in the backend?

Not aware of any documentation on this. As the API error says - Join the API (docs) team and implement it! (Document it, I mean!)

I actually had a fool around in civicrm/api/explorer the other day to see if I could coax it into setting or getting api_key, but it seems like that's not permitted

I'm surprised it safe to add a user/pass to the URL since the server can log it.

It's possible, but not safe. User/pass should be in POST only. Any sensitive data (creds, contact data) should be over SSL.

IMO it'd be good to specifically reject that usage in future versions, may already be a ticket on it @ issues.civicrm.org?

Thanks Chris.  Well, I just went right into the database to add the user API key (used the hash value) - I imagine there is a better way.

not so much, mostly because it's not meant to be done for a lot of users (I hardly ever have more than two users with api_key) and if a user can't modify the db directy, he most probably shouldn't use the api_key in the first place.

FYI:  Still a bit stuck using REST with the quicksearch or getquick action (I've seen it referenced both ways).  I saw a fix in ajax here: http://issues.civicrm.org/jira/browse/CRM-11136 .
Wondering if, perhaps,  it was not applied to the rest api, but more likely my mistake somewhere.

getquick was a workaround, specifically to be automatically whitelisted to be accessible over http get. You can use it. But why aren't you using the normal contact.get api instead?