CRM-4418 Add permissioning for Delete action

          Details

          • Type: New Feature
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Fixed/Completed
          • Affects Version/s: 2.2.0, 2.2.1, 2.2.2
          • Fix Version/s: 3.1.4
          • Component/s: Core CiviCRM
          • Labels:
            None

            Description

            Site admins need an option to prevent certain users from deleting records of various types.

            For this implementation, we'll support this functionality using Drupal permissioning.

            The following granularity will be offered for delete permissions:

            • delete contacts
            • delete activities

            ...plus

            For each enabled component:

            • delete in $component (e.g. delete in CiviContribute)

            The component delete permission will apply to all objects in that components class tree.

            For example, "delete in CiviEvent" allows delete of:

            • participant records
            • event records

            Delete button, action link and batch actions should be suppressed for any user who doesn't have delete permission for that object (contacts) or for objects that belong to that component.

              Attachments

                Activity

                [CRM-4418] Add permissioning for Delete action
                Shailesh Lende added a comment -

                Tested and verified for v2.3 rev-22167.

                Kurund Jalmi added a comment -

                Batch move to verification

                Yashodha Chaku added a comment -

                assigning for 3.0 QA

                Alice Aguilar added a comment -

                After removing DELETE permissions to all components, Contacts, and Activities, all seem to work as expected except for the following:

                • user is still able to delete memberships (when you go to Member Dashboard - click on "MORE" on an individual's record and the option to DELETE is there
                • user is able to delete an Activity with an activity type of "TELL A FRIEND" - (which looks like when Individual selects this option when registering for an event and this activity gets created). I believe we still DON'T want user to delete this Activity.
                Alice Aguilar added a comment -

                Looks like everything checks out.

                Yashodha Chaku added a comment -

                assigning for 3.1 verification

                Rajan P Mayekar added a comment -

                Verified in r 25305.

                Donald A. Lobo added a comment -


                so we dont expose delete to people who only have view permission

                Christophe Benz added a comment -

                I created a tiny patch to allow users to delete contacts they can edit, not those they can view.

                Since I am a beginner with the code of CiviCRM, perhaps this patch is not very strong. What do you think about it?

                Kurund Jalmi added a comment -

                If you have "delete permission" and "edit permission" for a contact, then you can delete it.

                If you have delete contacts, but do not have "edit permission" for a contact, then you cannot delete that contact.

                So for deleting you need both edit and delete permission

                Sushant Paste added a comment -

                Tested in r26978.

                  People

                  • Assignee:
                    Sushant Paste
                    Reporter:
                    David Greenberg

                    Dates

                    • Created:
                      Updated:
                      Resolved: