Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-16836

Basic Search form group select does not respect ACLs


    • Versioning Impact:
      Patch (backwards-compatible bug fixes)
    • Documentation Required?:
    • Funding Source:
      Core Team Funds


      The group selector on the Basic Search form is showing all groups, for an ACL'd user who should only be able to see a restricted set of groups. Manage Groups correctly shows just the permitted groups.

      It works correctly in 4.4.14 but fails as above in 4.6.4 .

      Steps to replicate

      1. Set up a user A without "view all contacts" or "edit all contacts" permissions.

      2a. Set up an ACL through the UI, such that user A is only permitted to view one group, e.g. group id 3 (Summer Program Volunteers in a demo installation).


      2b. Implement hook_civicrm_aclGroup for $tableName == 'civicrm_saved_search'. A dummy implementation will do for testing purposes, which just returns a single permitted group id, e.g.

      function mymodule_civicrm_aclGroup($type, $contactID, $tableName, &$allGroups, &$currentGroups) {
        if ($tableName == 'civicrm_saved_search') {
          // 3 = id of Summer Program Volunteers group on demo site
          $currentGroups = array(3);

      Enable the module implementing the above hook.

      3. Logged in as user A, visit Manage Groups, /civicrm/group?reset=1 . Verify that only group id 3 (Summer Program Volunteers in a demo installation) is shown.

      4. Logged in as user A, visit Basic Search, /civicrm/contact/search?reset=1 .

      Expected behaviour: only the permitted group, id 3, is shown in the groups drop-down.
      Actual behaviour: all groups are shown in the groups drop-down.




            • Assignee:
              colemanw Coleman Watts
              davej Dave Jenkins
            • Votes:
              0 Vote for this issue
              6 Start watching this issue


              • Created: