Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-10850

Fatal DB error breaks Civi for ACL-restricted users when ACLs target certain kinds of Smart Groups

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.2.1
          • Fix Version/s: 4.2.2
          • Component/s: Core CiviCRM
          • Labels:

            Description

            After upgrading to Civi 4.2.1, we find that ACL-restricted users (users without "View/Edit All Contacts" permissions) are unable to view, edit or search contacts. Any attempt to view, edit or search contacts results in a "DB Error: unknown error". This problem does not affect users with "View/Edit All Contacts" permissions.

            Our site relies on several ACLs where the target set of data is a Smart Group. In some important cases, these Smart Groups were defined using the Include/Exclude search.

            As noted in http://issues.civicrm.org/jira/browse/CRM-10848, as of Civi 4.2.1 a similar error results when attempting to save a Smart Group based on an Include/Exclude search. Therefore, I looked into a possible connection, and there does seem to be one, based on the steps to reproduce the issues and the debugging output from both.

            Because of our heavy reliance on these ACLs built on Include/Exclude Smart Groups, this problem breaks Civi 4.2.1 for us. It would be a major (if not impossible) task to rebuild those Smart Groups using some other type of search.

            To reproduce:

            1) Log in to Civi on Drupal as an administrator.

            2) Do a Search > Custom Searches > Include/Exclude Search, and use the results to create a new Smart Group. (Either do this in an earlier version of Civi and upgrade to 4.2.1, as we did, or do it in 4.2.1 and ignore the fatal error crash – the group will still be created.)

            3) Go to Administer > Users and Permissions > Permissions (Access Control) > Manage ACLs > Add ACL. For Role, select Authenticated. For Operation, select Edit. For Type of Data, select "A group of contacts". For Group, select the Smart Group you created in Step 2. Check Enabled. Save.

            4) In Drupal permissions administration, make sure there is some user who does not have "View All Contacts" permissions or "Edit All Contacts" permissions.

            5) Log in as the user from Step 4.

            6) Attempt to search for contacts, view contacts or edit contacts. An error will result.

            I am attaching the output of Civi's debugging mechanism.

              Attachments

                Activity

                  People

                  • Assignee:
                    lobo Donald A. Lobo
                    Reporter:
                    noah Noah Miller
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    3 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: