Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Critical
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.4.8, 4.2.6
-
Fix Version/s: 4.2.7
-
Component/s: CiviReport
-
Labels:None
Description
Most report instances have valid permissioning protection set by default. However, four "newer" reports were instantiated without specifying a permission value. This was probably missed because the form selects 'access CiviReport' permission by default if no permission has been set in the DB row (hence saving the report instance 'fixes' things).
Fixes for new installs (civicrm_navigation.tpl)
============================
- Contribution and Membership Details - added 'access CiviMember' permission to match other Contribution report instances.
- Mailing Detail - added 'access CiviMail' permission to match other Mailing report instances.
- Grant Report (Statistics) - added 'access CiviGrant' permission.
- Survey Details - added 'access CiviReport' permission (since it's not clear to me which CiviCampaign perm is relevant).
Upgrade fixes
==========
- 4.2.alpha1.mysql.tpl: Mailing Detail and Contribution and Membership Details reports were inserted with missing a default permission in the insert. I've fixed that file.
- 3.4.alpha1.mysql.tpl: Survey Report inserted with missing default permission. Fixed that file.
- Adding logic to 4.2.7.mysql.tpl to set default permission for the above 4 report instances IF a value is not already set.
NOTE: The permission for a report instance is represented in TWO places in the report_instance table for "some reason". There's a 'permission' column, AND the permission field value is also stored in the serialized 'form_values' blob. For the 4.2.7 upgrade I'm only fixing the 'permission' column which seems to be the one that takes effect based on some testing manipulating data directly in the DB.