Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.4.6
-
Fix Version/s: 4.5
-
Component/s: Core CiviCRM
-
Labels:
-
Documentation Required?:None
Description
Steps to reproduce:
1. Go to any contact record.
2. Note the contact ID. For example, say it is 12345.
3. Go to url https://example.com/civicrm/contact/merge?reset=1&cid=12345&oid=12345&action=update (note the example id 12345 used twice in this URL to take us directly to the merge page).
4. Expect some sort of error message to be displayed immediately. Observe no error message. Expect that merging the contacts will not be possible from this screen. Observe that the interface allows us to perform the merge. (So let's keep going and see what happens next...)
5. Check all boxes.
6. Click merge.
7. At the very least, expect that at THIS step, we see some sort of error message and see that the merge has not been completed. Observe that the merge has completed, and even though all boxes were checked, data such as emails, phones, contributions, etc. were not retained through the merge. And the resulting contact is marked as deleted. So merging a contact into itself, effectively wipes out that contact. Restoring the contact from the trash does not restore related objects such as emails, contributions, etc.
Although this scenario is unlikely to occur because (I believe) the user can only arrive here by hacking the URL, there still should be some additional safeguards in place to prevent the data loss that occurs here.