Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Duplicate
-
Affects Version/s: 4.6.20
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Needs Funding
Description
When attempting to view an activity, if the source contact does not exist then the activity cannot be viewed.
The source contact may be NULL or missing if the activity was created without source, or source contact was cleared via API update after creation, or source contact was deleted later. Code comments in this function indicate that missing source contact is a case to be handled, commit refers to CRM-18409.
At line 2409 CiviCRM checks if the viewing user has permission to view the source contact. If this fails, then the following block which checks for "view all contacts" or "edit all contacts" is not entered.
Lines 2409 to 2448 seem to do two things:
- Check for super permission, or
- Check access to each contact involved in the activity
It might be sensible to rewrite that to first check for super permission, otherwise obtain a list of valid contacts associated with the activity and check access to that list of contacts.
Minimal bugfix PR will be provided, keen to hear input if we want to clean this up a bit more. Current Activity permissions check feels a bit sprawling at ~150LoC?