Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.4.1
-
Fix Version/s: 4.4.3
-
Component/s: None
-
Labels:None
Description
I added some stuff to participant & contribution forms in 4.4 so that if you are registering someone else (cid=0) AND you have permission to see at least one other person in the DB you have the option to select that person & the form will pre-fill with their details. What I think I saw in testing is different to what I saw yesterday - which was that the prefill doesn't work for people without 'Access CiviCRM' permission. I can't see any changes since testing that would account for a change & dgg doesn't recall so lets assume I halucinated it working.
Which takes it to fixing it. The lookup calls CRM_Contact_Page_AJAX::getContactList which in turn calls civicrm_api3('contact', 'getquick') with 'check_permissions' on
When I tried adding 'Access Ajax API' (or whatever it's called) it required 'AND' rather than 'OR'. This wasn't my expectation but seems in line with other permissions set there.
However, I believe that CRM_Contact_Page_AJAX::getContactList is our current 'goto' function for autocompletes (with ACL application) & I specifically think that in this case & others there is a need for people to access other contacts that they have permission to view without being permitted into CiviCRM.
When I considered it last time it was my feeling that no permission was really required on 'getquick' as it returned very limited information about only permitted people. However, it that is not acceptable I guess we need to figure out how to make 'OR' possible in the api permissions - eg.
'update' => array(
'access CiviCRM',
'edit all contacts',
),
'getquick' => array(
'OR' => array(
'access CiviCRM',
'access AJAX API',
),