Limit CiviCase Access for some users to 'My Cases' and 'My Activities'

Rationale
========
Organizations need a way to limit access for some users (staff or external agencies) to only those cases where they have a 'case role'. For these cases, they would be limited to:

• adding activities
• viewing and editing activities IF they are the source or an assignee
• viewing activities only (no editing) IF they are a target.

Implement the following 3 levels of permissioning :

1. 'access all cases and activities'
2. 'access my cases and activities'
3. 'administer CiviCase'

Implementation
=============
'My Cases' filter has the same meaning as currently => cases where the current user has a case role (user's contact record is contact_id_b in a relationship linked to that case_id).

'My Activities' filter = activities where current user's contact record is the source contact_id, an assignee contact_id, OR a target contact_id.

1. Add a new CiviCase permission: 'access my cases and activities'

2. Changes to Case screens/functions for users with 'access my cases and activities'

• Suppress 'Case' from shortcuts ('create new') drop-down, and 'New Case' from Cases menu

2.1 Case Dashboard

• Hide link: "Show ALL Cases with Upcoming Activities (these users can ONLY view 'My Cases')
• Hide 'New Case' button (these users are not permitted to create cases)
• Next Sched and Most Recent activity queries for case selectors filter on 'My Activities' (see above)
• Case selector : edit link for Next Sched and Most Recent conditional on whether user is source or assignee
• Case selector actions / links:
  • Manage Case link is shown
  • Delete link is conditional on user having 'delete in CiviCase' permission
• Activities (drilldown) selectors filter on 'My Activities'. Other case activities are NOT shown.
• Activities selector actions / links:
  • 'view' link (Subject column) available for all displayed activities
  • 'Edit' action link only available for activities where user is source OR an assignee
  • 'Delete' action link suppressed unless user has 'delete activiites' permission

2.2 Find Cases

• Search queries only return 'My Cases'
• Hide 'My Cases' / 'All Cases' radio (case_owner) - since these users only can access 'My Cases'
• Case and Activity selectors - see dashboard section above

2.3 Manage Case

• Add 'Birth Date' display to 'Client' box in Case Summary fieldset below client name and phone number
  • remove the 'Client:' label cell from that box as it's not needed, so display is:

Janet Johnson
415 244-1022
DOB: March 2, 1966

• Suppress the following Case Summary elements:
  • Add Timeline dropdown
  • Run QA Audit / Redact
  • Print Report (this is a new button which will be added for 3.2, see CRM-5757)

• Suppress the following Case Roles elements:
  • Add new role
  • Role Actions column in table (Edit and Delete actions are not allowed)

• Suppress the Other Relationships section completely

• Case Activities section:
  • Activities filtered on 'my activities' (see above)
  • 'Edit' action link only available for activities where user is source OR an assignee
  • 'Delete' action link suppressed unless user has 'delete activiites' permission

3. Access should be denied if object ID is changed in URL query string OR non-permissioned action is requested via URL:

• Manage Case (contact/view/case) for cases which are not My Cases
• View or Edit case activities which are not My Activities
• Add case activity to a case which is not My Case
• Create a case (contact/view/case?action=add)

4. Option to deny access to contact functions and screens
Physician Health needs the ability to limit these 'external agency' CiviCase users to Case and Case Activity screens only.

If the user's permissions are:
1. edit all contacts = false
2. view all contacts = false
3. new function - giveMeAllACLs( ) returns false

then ...

• hide Quick Contact Search (auto-complete) box (left side of menu bar)
• hide Search and Contacts top level menus
• remove and block (access denied) contact create links (shortcuts dropdown)
• remove and block all links to contact/view OTHER THAN contact/view/case
• suppress all links to view contact summary page in Case and Activity selectors

NOTE: Check with Kurund about plans to change URL patterns for 'view' pages. The above limits would probably be easier to implement if the Manage Case URL was 'civicrm/case/view'instead of 'civicrm/contact/view/case'.

5. Add another new CiviCase permission: 'access all cases and activities'

• Create new cases
• View and edit all cases and case activities (via dashboard, find cases, case tabs)

6. Add another new CiviCase permission: 'administer CiviCase'

• can gives user access to Administer → CiviCase functions (currently Case Types and Redact Rules) ONLY

If the user needs access to 'all cases' and to CiviCase admin stuff, they need to have 'access all cases and activities' AND 'administer CiviCase'.