api: don't check category permissions (#54757)

tests/api/test_formdata.py

@@ -1046,6 +1046,17 @@ def test_api_ods_formdata(pub, local_user):
         ods_sheet = ET.parse(zipf.open('content.xml'))
     assert len(ods_sheet.findall('.//{%s}table-row' % ods.NS['table'])) == 311
 
+    # check it's not subject to category permissions
+    role2 = pub.role_class(name='test2')
+    role2.store()
+    category = Category()
+    category.name = 'Category 1'
+    category.export_roles = [role2]
+    category.store()
+    formdef.category = category
+    formdef.store()
+    get_app(pub).get(sign_uri('/api/forms/test/ods', user=local_user), status=200)
+
 
 def test_api_global_geojson(pub, local_user):
     pub.role_class.wipe()

wcs/backoffice/management.py

@@ -2181,7 +2181,11 @@ class FormPage(Directory):
 
     def csv(self):
         self.check_access()
-        if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user):
+        if (
+            not get_request().is_api_url()
+            and self.formdef.category
+            and not self.formdef.category.has_permission('export', get_request().user)
+        ):
             raise errors.AccessForbiddenError()
         fields = self.get_fields_from_query()
         selected_filter = self.get_filter_from_query()
@@ -2235,7 +2239,11 @@ class FormPage(Directory):
         if get_request().has_anonymised_data_api_restriction():
             # api/ will let this pass but we don't want that.
             raise errors.AccessForbiddenError()
-        if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user):
+        if (
+            not get_request().is_api_url()
+            and self.formdef.category
+            and not self.formdef.category.has_permission('export', get_request().user)
+        ):
             raise errors.AccessForbiddenError()
         fields = self.get_fields_from_query()
         selected_filter = self.get_filter_from_query()