Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-15662

ACL's do not work when target is a smart group


    • Type: Bug
    • Status: Done/Fixed
    • Priority: Major
    • Resolution: Fixed/Completed
    • Affects Version/s: 4.5.4, 4.7.1
    • Fix Version/s: 4.5.5
    • Component/s: Core CiviCRM
    • Labels:
    • Documentation Required?:
    • Funding Source:
      Needs Funding


      I just recreated this with both 4.5 and 4.6 (master) sandboxes in Drupal so this is not specific to a CMS.

      My steps:

      • Create Drupal 'Staff' role with 'access CiviCRM' but NOT view all contacts and NOT edit all contacts
      • Assign that role to a new user
      • Create 'Arizona Admins' group, Access Control = True
      • Add your user's contact to that group
      • Create a smart group for all contacts w/ address in Arizona ('Arizona Constituents')
      • Create 'Arizona Admins' ACL role
      • Create 'Arizona Access' ACL granting 'Edit' access on 'Arizona Constituents' group to the 'Arizona Admins' role
      • Assign 'Arizona Admins' group to 'Arizona Admins' ACL role
      • Login as your 'Staff' user and do Find Contacts

      Expect to see all Arizona Constituents. Actual behavior is no results

      NOTE: ACLs do work when target is a regular (not-smart) group. You can verify by adding another ACL:

      • Create 'Newsletter Subscriber Access' ACL granting Edit access on the 'Newsletter Subscribers' group to the Arizona Admins role
      • Log back in as 'Staff' user and repeat the search. You will get the expected ~60 contacts in New

      — Original Post —
      I am using 4.5.4, and wordpress 4. I can't get smart groups to work with a wordpress login. I want chapter admin logins to only be able to see their members. I've set up roles, ACLs, smart groups, and nothing works so far.

      These are the steps to reproduce.

      Call the target chapter ChapterA...

      1. create wordpress role "ChapterA Staff". Give it all capabilities for now.

      2. create wordpress account "ChapterA Staff". Assign the ChapterA Staff role.

      3. create new group: ChapterA Staff (normal group) and add ChapterA Staff account added in step 2, then create group "ChapterA Members" (smart group, based on search criteria for ChapterA members). Verify smart group works.

      4. CiviCRM » Administer CiviCRM » Option Groups » Access Control » Manage ACL Roles: create role "ChapterA Staff".

      5. CiviCRM » Administer CiviCRM » Access Control » WordPress Access Control: allow ChapterA Staff various permissions, including View all contacts

      6. CiviCRM » Manage ACLs » Access Control » Assign Users to Roles: assign the ChapterA Staff user to the ChapterA Staff role.

      7. CiviCRM » Manage ACLs » Access Control » Manage ACLs: create the permission for ChapterA Staff role to edit the smart group ChapterA Members.

      Now login as ChapterA Staff, and see that searching on contacts results in all contacts, not restricted to ChapterA Members. The expected result is that the ChapterA Staff login will only see ChapterA Members. Similar result on a member search, you see all members. If I unselect "View all contacts" in the access control, I see no contacts or members at all. So based on the above, I don't think I have set it up correctly, or there is some problem with the software.

      Note that the ACL does work with a static group. All I did to test was to replace the smart group with a static group of contacts.

      Also note that this cannot be tested on your demo sites as you cannot create users. I have set up 2 different installations however and can reproduce.

      Refer to this forum thread:




            • Assignee:
              jitendra.purohit Jitendra Purohit
              P a u l Paul Shaffer
            • Votes:
              0 Vote for this issue
              7 Start watching this issue


              • Created: