Affects Version/s: 4.6.4, 4.7.19, 4.7.23
Component/s: Core CiviCRM
Versioning Impact:Patch (backwards-compatible bug fixes)
Funding Source:Core Team Funds
The group selector on the Basic Search form is showing all groups, for an ACL'd user who should only be able to see a restricted set of groups. Manage Groups correctly shows just the permitted groups.
It works correctly in 4.4.14 but fails as above in 4.6.4 .
Steps to replicate
1. Set up a user A without "view all contacts" or "edit all contacts" permissions.
2a. Set up an ACL through the UI, such that user A is only permitted to view one group, e.g. group id 3 (Summer Program Volunteers in a demo installation).
2b. Implement hook_civicrm_aclGroup for $tableName == 'civicrm_saved_search'. A dummy implementation will do for testing purposes, which just returns a single permitted group id, e.g.
Enable the module implementing the above hook.
3. Logged in as user A, visit Manage Groups, /civicrm/group?reset=1 . Verify that only group id 3 (Summer Program Volunteers in a demo installation) is shown.
4. Logged in as user A, visit Basic Search, /civicrm/contact/search?reset=1 .
Expected behaviour: only the permitted group, id 3, is shown in the groups drop-down.
Actual behaviour: all groups are shown in the groups drop-down.