Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.6.4, 4.7.19, 4.7.23
-
Component/s: Core CiviCRM
-
Labels:
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Core Team Funds
Description
The group selector on the Basic Search form is showing all groups, for an ACL'd user who should only be able to see a restricted set of groups. Manage Groups correctly shows just the permitted groups.
It works correctly in 4.4.14 but fails as above in 4.6.4 .
Steps to replicate
1. Set up a user A without "view all contacts" or "edit all contacts" permissions.
2a. Set up an ACL through the UI, such that user A is only permitted to view one group, e.g. group id 3 (Summer Program Volunteers in a demo installation).
OR
2b. Implement hook_civicrm_aclGroup for $tableName == 'civicrm_saved_search'. A dummy implementation will do for testing purposes, which just returns a single permitted group id, e.g.
function mymodule_civicrm_aclGroup($type, $contactID, $tableName, &$allGroups, &$currentGroups) {
if ($tableName == 'civicrm_saved_search') {
// 3 = id of Summer Program Volunteers group on demo site
$currentGroups = array(3);
}
}
Enable the module implementing the above hook.
3. Logged in as user A, visit Manage Groups, /civicrm/group?reset=1 . Verify that only group id 3 (Summer Program Volunteers in a demo installation) is shown.
4. Logged in as user A, visit Basic Search, /civicrm/contact/search?reset=1 .
Expected behaviour: only the permitted group, id 3, is shown in the groups drop-down.
Actual behaviour: all groups are shown in the groups drop-down.