Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Critical
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.5.8, 4.6.2
-
Fix Version/s: 4.6.9
-
Component/s: Core CiviCRM
-
Labels:
-
Documentation Required?:User and Admin Doc
-
Funding Source:Core Team Funds
Description
Authenticated user with 'access Contact Dashboard' permission should be able to see 'Your Contacts / Organizations' section of the dashboard.
However, currently this section is requiring 'view all contacts' permission. Otherwise a dataTables warning is thrown and call to http://civicrm46/civicrm/ajax/contactrelationships returns Access Denied / 403.
I initially tried adding 'accessContactDashboard' to the access_arguments list in Core/xml/Menu/Contact.xml - civicrm/ajax/contactrelationships. That didn't help. The method which retrieves the relationship list (CRM_Contact_BAO_Relationship:getContactRelationshipSelector) limits the return to 'permissioned relationships' if $context is the dashboard, so from a security point of view 'access Contact Dashboard' should be sufficient and I'm pretty sure this is a regression from 4.4.
I was wondering if this commit broke things:
https://github.com/civicrm/civicrm-core/commit/b0266403
... but doesn't look like it (I commented out the permissionDenied line in CRM/Contact/Page/AJAX.php
and that didn't help.
Attachments
Issue Links
- links to