Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-19256

Add a hook to dynamically escalate permissions


    • Type: Improvement
    • Status: Done/Fixed
    • Priority: Trivial
    • Resolution: Fixed/Completed
    • Affects Version/s: 4.6.20, 4.7.10
    • Fix Version/s: 4.7.16
    • Component/s: Core CiviCRM
    • Labels:
    • Versioning Impact:
      Patch (backwards-compatible bug fixes)
    • Documentation Required?:
      Developer Doc
    • Funding Source:
      Contributed Code


      Per email message on civicrm-dev and civicrm-security mailing lists:

      I would like to create a new hook_civicrm_permission_check for CiviCRM. It would be called from the CRM_Core_Permission::check() function to be able to alter permissions at runtime. The use case for its creation is detailed below, but it could otherwise be used to disallow event registrations after a certain time of day, only allow the creation of accounting batches at the end of the month, implement an 'emergency access' switch in case some key staff is absent, etc.

      Any and all feedback most welcomed.


      Background data: There is a dichotomy between the 'view all contacts' and 'view all contacts in chapter' permissions: on a regular civicrm instance, or when we do not want to enable the multisite ACLs for a given user, the 'view all contacts' permissions is enabled. Inversely this permission is disabled, and the 'view all contacts in chapter' enabled when we want to implement multisite ACLs

      Use case: This organization has chapters in many states in the US. While most local staff only need to access their own chapter's data, a few need to send occasional mailings to the entire database. But since this is very occasional, they do not want to see all contacts all the time, just when they need to send a mailing to all or do some general reporting.

      Environment: Drupal with domain access module + CiviCRM multisite

      Proposed solution: Create a 'global' chapter in the organization, give access to this chapter in Drupal to the (few) people that occasionally need to access the whole database, in civicrm_settings set is_enabled = 0, domain_group_id = 0 for the 'global' domain, tell people to just access the 'global' domain when they want the entire database view, their local chapter's domain for the day-to-day work. This greatly reduces confusion, gives everyone just one login and allows for SSO between domains.

      Result: no contacts are displayed in the 'global' domain. This is because the 'view all contacts' permissions is disabled for all users, replaced by the 'view all contacts in domain'. We need to flip these permissions around when users are accessing the 'global' domain.

      Hence the proposed enhancement:
      a) add a hook_permission_check to CiviCRM that would be called from the CRM_Core_Permission::check() function to be able to alter permissions at runtime.
      b) implement this hook in the multisite module to grant the 'view all contacts' permission if (1) multisite is off, ie. is_enabled = 0 and domain_group_id = 0 and (2) 'view all contacts in domain' is granted. Do the same for the 'edit all contacts' permission.




            • Assignee:
              nganivet Nicolas Ganivet
              nganivet Nicolas Ganivet
            • Votes:
              0 Vote for this issue
              6 Start watching this issue


              • Created: