Details
-
Type: Improvement
-
Status: Done/Fixed
-
Priority: Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.6
-
Component/s: CiviCRM API, CiviCRM Profile, CiviEvent
-
Labels:None
-
Documentation Required?:User and Admin Doc
-
Epic Link:
-
Funding Source:Paid Issue Queue
Description
Sponsored improvement - please log all work hours.
****************
Summary
=========
Currently, users are required to have 'administer CiviCRM' permission in order to create or edit event-related profiles and profile fields. However, the Edit, Copy, and Create buttons are displayed to users without this permission on the Configure Event > Online Registration tab - and these users can access the inline profile editor interface. However, when they try to save their input, an error is thrown:
"API permission check failed for UFGroup/create call; insufficient permission: require administer CiviCRM"
This improvement has 2 aspects:
- Add a new core permission that can be granted to users who need to manage event-related profiles w/o giving them 'administer CiviCRM' permission.
- Prevent the profile create/edit/copy actions from being offered to users who do NOT have permission to use them.
Implementation
=============
1. Add a new permission defined by core:
Title = "CiviEvent: manage event profiles"
Description = "Allow users to create, edit and copy event-related profile forms used for online event registration."
2. Modify UFGroup / UFField api permissions to give users with this permission the following access from the Online Registration tab / profile builder:
- create new profile (UFGroup)
- edit profile settings (UFGroup)
- create profile fields (UFField)
- edit profile fields
- delete profile fields
NOTES:
- These users should NOT get access to manage profiles via Administer > Customize > Profiles menu path unless they also have administer CiviCRM permission
- Their profile management access in the event context is also conditional on them having configuration access for that event (either via 'edit all events' or ACL)
- The current profile builder UI does NOT allow profile (UFGROUP) DELETE, and I don't think these users need or should have that permission (they do need field-level delete).
3. Modify CRM_Event_Form_ManageEvent_Registration to conditionally display the Profile Selector "Create", "Edit" and "Copy" buttons based on users permission. All three buttons are displayed only if user has 'administer CiviCRM' OR 'manage event profiles' permission. Otherwise, only the dropdown for selecting from existing list of profiles AND the 'Preview' button are displayed.
Attachments
1.
|
Add ACL support for profile related api's | Done/Fixed | Jitendra Purohit |
|
|
||||||||
2.
|
Filter Profile selector in Configure Event - Registration tab for non-admin users | Done/Fixed | David Greenberg |
|
|