Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-16776

Event-related profiles can be created & edited with either 'administer CiviCRM' OR 'manage event profiles' permission

          Details

            Description

            Sponsored improvement - please log all work hours.
            ****************

            Summary
            =========
            Currently, users are required to have 'administer CiviCRM' permission in order to create or edit event-related profiles and profile fields. However, the Edit, Copy, and Create buttons are displayed to users without this permission on the Configure Event > Online Registration tab - and these users can access the inline profile editor interface. However, when they try to save their input, an error is thrown:
            "API permission check failed for UFGroup/create call; insufficient permission: require administer CiviCRM"

            This improvement has 2 aspects:

            • Add a new core permission that can be granted to users who need to manage event-related profiles w/o giving them 'administer CiviCRM' permission.
            • Prevent the profile create/edit/copy actions from being offered to users who do NOT have permission to use them.

            Implementation
            =============
            1. Add a new permission defined by core:
            Title = "CiviEvent: manage event profiles"
            Description = "Allow users to create, edit and copy event-related profile forms used for online event registration."

            2. Modify UFGroup / UFField api permissions to give users with this permission the following access from the Online Registration tab / profile builder:

            • create new profile (UFGroup)
            • edit profile settings (UFGroup)
            • create profile fields (UFField)
            • edit profile fields
            • delete profile fields

            NOTES:

            • These users should NOT get access to manage profiles via Administer > Customize > Profiles menu path unless they also have administer CiviCRM permission
            • Their profile management access in the event context is also conditional on them having configuration access for that event (either via 'edit all events' or ACL)
            • The current profile builder UI does NOT allow profile (UFGROUP) DELETE, and I don't think these users need or should have that permission (they do need field-level delete).

            3. Modify CRM_Event_Form_ManageEvent_Registration to conditionally display the Profile Selector "Create", "Edit" and "Copy" buttons based on users permission. All three buttons are displayed only if user has 'administer CiviCRM' OR 'manage event profiles' permission. Otherwise, only the dropdown for selecting from existing list of profiles AND the 'Preview' button are displayed.

              Attachments

                Activity

                  People

                  • Assignee:
                    jitendra.purohit Jitendra Purohit
                    Reporter:
                    dgg David Greenberg
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    3 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:

                      Time Tracking

                      Estimated:
                      Original Estimate - 1 day, 6 hours Original Estimate - 1 day, 6 hours
                      1d 6h
                      Remaining:
                      Remaining Estimate - 0 minutes
                      0m
                      Logged:
                      Time Spent - 3 days, 4 hours, 30 minutes
                      3d 4h 30m