Fix 'Authorization Failed' regression when submitting eg. webform via checksum

[mattwire]

Overview

When a user accesses API3 (eg Activity.create, Case.create, EmailApi.send) and they are accessing via a checksum link (I tested using a drupal webform submission with a checksum) the API calls fail with "Authorization Failed". I traced this to the recently changed in #23099 API4 RecentItems::update()

I'm not certain if setting checkPermissions = FALSE is the correct thing to do here because this code is called on every post hook but I think that's effectively how it was working before.

Before

Cannot use API3 calls when "logged in" via a checksum.

After

Can use API3 calls when "logged in" via a checksum.

Technical Details

The user does not have "Access CiviCRM" but an "authenticated user" does have "Access AJAX API" and I think the checksum gives them "authenticated user" access? An alternative might be to open up permissions on RecentItems to "Access AJAX API"?

Comments

@colemanw @eileenmcnaughton per discussion in product-maintenance. This is a regression on 5.49.

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[eileenmcnaughton]

@colemanw part of me wonders if we should look at the permissions model here - but this is a quick fix so even if we did look at permissions that could be in master?

[eileenmcnaughton]

I'm gonna merge this - doesn't stop us revisiting permissions later