Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.5.4
-
Fix Version/s: 4.5.5
-
Component/s: CiviCRM API
-
Labels:None
-
Documentation Required?:None
Description
The Drupal contact page does not show "Contact Dashboard" even when permissions are given to access the contact dashboard unless they are also given the "edit my contact" permissions.
I just want someone to see their own stuff. The edit permissions allows them to do too much (such as send e-mails from the organization e-mail, create cases etc) as the ACL's within CiviCRM aren't very well defined.
This fixes it:
In /drupal/civicrm_user.inc
180c180
< if (CRM_Core_Permission::check('access Contact Dashboard') && $civiPerm) {
—
> if (CRM_Core_Permission::check('access Contact Dashboard')) {
Additional permissions are checked at the Dashboard level so interchanging the ID does not allow one to see another users' dashboard.