Details
-
Type:
Bug
-
Status: Open
-
Priority:
Trivial
-
Resolution: Unresolved
-
Affects Version/s: 4.7.7
-
Fix Version/s: None
-
Component/s: None
-
Labels:
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Needs Funding
Description
To replicate
Create custom field (used for contact) of html type (basically those which register field option on Option value table)- checkbox/select/radio - any data type. Say Select field with options
custom_15 => ('option 1'=> 'a', 'option 2' => 'b');
2. On using advance filter array(LIKE => '%a%') it throw fatal error
"error_message": "'%a%' is not a valid option for field custom_15"
Comment by Monish:
So we need to extend _civicrm_api3_api_match_pseudoconstant() to support special character '%' on using 'LIKE' operator
Response by Eileen
@monishdeb - the minimum form of support would be to trim from the start & finish. But, are we trying to support
array('custom_10' => array('LIKE' => '%dakota%'));
for when people really do want to find north & south dakota or
array('LIKE' => '%big%house%'));
to find 'big house', 'my big house', 'my bigger house'
etc.
If we want to support the variants I'm not sure if that adds a security consideration.
Attachments
Issue Links
Activity
Do you think there is potential to bypass custom data acls if we remove that check? Perhaps we could require 'access all custom data' to use a 'Like' call?
Note this is a cause of intermittant CI errors
I wasn't aware of any ACLs that are so fine-grained they operated on individual option values. That function doesn't seem to be enforcing any ACLs.
Ah true - the are field specific - not option value. OK we can return early for LIKE
Ah, here's the thing - it's the same validation code used for something like financial types which DOES have an ACL applied....
IMO a "LIKE" operator is fundamentally incompatible with a "per option" ACL rule.
Probably the function _civicrm_api3_api_match_pseudoconstant() shouldn't be called at all for operators such as LIKE.