[CRM-13744] cid=0 contribution & event form autocompletes not working for people with *only* access ajax api - CiviCRM Issue Tracker

Details

Type: Bug
Status: Done/Fixed
Priority: Trivial
Resolution: Fixed/Completed
Affects Version/s: 4.4.1
Fix Version/s: 4.4.3
Component/s: None
Labels:
None

Description

I added some stuff to participant & contribution forms in 4.4 so that if you are registering someone else (cid=0) AND you have permission to see at least one other person in the DB you have the option to select that person & the form will pre-fill with their details. What I think I saw in testing is different to what I saw yesterday - which was that the prefill doesn't work for people without 'Access CiviCRM' permission. I can't see any changes since testing that would account for a change & dgg doesn't recall so lets assume I halucinated it working.

Which takes it to fixing it. The lookup calls CRM_Contact_Page_AJAX::getContactList which in turn calls civicrm_api3('contact', 'getquick') with 'check_permissions' on

When I tried adding 'Access Ajax API' (or whatever it's called) it required 'AND' rather than 'OR'. This wasn't my expectation but seems in line with other permissions set there.

However, I believe that CRM_Contact_Page_AJAX::getContactList is our current 'goto' function for autocompletes (with ACL application) & I specifically think that in this case & others there is a need for people to access other contacts that they have permission to view without being permitted into CiviCRM.

When I considered it last time it was my feeling that no permission was really required on 'getquick' as it returned very limited information about only permitted people. However, it that is not acceptable I guess we need to figure out how to make 'OR' possible in the api permissions - eg.

'update' => array(
'access CiviCRM',
'edit all contacts',
),
'getquick' => array(
'OR' => array(
'access CiviCRM',
'access AJAX API',
),

Attachments

Activity

[CRM-13744] cid=0 contribution & event form autocompletes not working for people with *only* access ajax api

Eileen McNaughton added a comment - 2013-11-12 1:21

Discussed permission syntax

https://gist.github.com/totten/d423b581b57493ced3f5

Donald A. Lobo added a comment - 2013-11-19 0:20

eileen:

are u planning on fixing this for 4.4? if so, any chance we can get a fix today or tomorrow since we'd like to get 4.4.2 out on wed

Eileen McNaughton added a comment - 2013-11-19 0:32

I was waiting to see the outcome of my existing PRs before I decided how to tackle this one.

Donald A. Lobo added a comment - 2013-11-19 3:00

ok, let me know by tomorrow. if no progress on this, we'll push to 4.5. I think at least one of your other PR's were merged into 4.4

Eileen McNaughton added a comment - 2013-11-19 9:18

I'm happy to push this to 4.4.3 - since it resolves an edge-case regression on end user forms in some (rare) instances I don't think we should push it to 4.5/ 4.6

Whatever we do WRT code management we do need this fixed & I have a patch that passes all tests without regression here

https://github.com/eileenmcnaughton/civicrm-core/commit/8437ebff006cd0e11940e5c931937aa70d4f14a3

However, when I looked I was somewhat confused as to whether T/C wanted the array format and/or the string format. The patch does the array format with a token nod to including the string format as well (supports the || but not the &&). It is sufficient to resolve the current regression

Donald A. Lobo added a comment - 2013-11-19 18:33

I'm pushing this to 4.5. When we get agreement on the format and style and completeness and a PR for this, we can pull it back into 4.4.x

People

Assignee:

Eileen McNaughton

Reporter:

Eileen McNaughton

Dates

Created:

2013-11-11 23:51

Updated:

2013-11-27 0:00

Resolved:

2013-11-27 0:00