(drupal) the anonymous user needs 'Mailchimp: allow webhook posts' permissions

[johanv]

I am using Drupal and the mailchimp extension from the git master branch. My CiviCRM instance couldn't create webhooks in Mailchimp, and I could not do it manually either.

The solution is easy, but it took me a while to figure it out. If you assign the 'allow webhook posts' permission to the anonymous user, everything works fine.

Maybe this should be added to the documentation. Or maybe the extension installer can take care of this.

[xurizaemon]

We ran into this also. It looks like that was the intent in the XML - see xml/Menu/Mailchimp.xml - but I'm not sure it works as intended, and you do need to find and set that permission for anonymous user.

[johanv]

I think this line of code causes an error 500 if the user does not have that permission.

[Kajakaran]

@artfulrobot Do you have any reason for why are we commenting this permission in new API V2? https://github.com/veda-consulting/uk.co.vedaconsulting.mailchimp/blob/922edef3c01a5da13e84df3304655975fa38ccc9/xml/Menu/Mailchimp.xml

@johanv

[artfulrobot]

nope, looks like it was https://github.com/veda-consulting/uk.co.vedaconsulting.mailchimp/commit/92a152bb3e723e2d9c17305aa104fb6fd9673f91 by @vajeevan ?

[artfulrobot]

I think there's a problem with this anyway. There's the concept that you can allow or disallow access to a webhook - which will only ever be accessed anonymously.

In Drupal this is fine (if you remember to give the permission to the anon user) but I can't figure out how to do that in Wordpress, which AFAICS does not have an anonymous user.

What's the point of the permission? To disable the webhook? You can remove the webhook from Mailchimp for that. I'd vote to strip that code out and allow access to all. The secret key thing is in place to stop abuse and as I say, Mailchimp is not going to be an authenticated user anyway.

[michaelmcandrew]

:+1: This permission does not make sense as Mailchimp is not going to be able to access anything apart from a publicly accessible URL. The key makes sense. From a security perspective, I think the most sensible thing to do would be to require and automatically generate a random key on the CiviCRM side (like mailchimp does on its side) and to recommend https.