Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.1.1
-
Fix Version/s: 3.1.3
-
Component/s: Core CiviCRM
-
Labels:None
Description
Tested on 3.1.1 + patch from CRM-5781 / Drupal 6.14 .
Not sure if I can test on demo - does demo user have "Access all custom data" perm?
To replicate:
(1) Set up a user with no Civi permissions.
(2) Create a custom field group.
(3) Set up ACL role & group for this user.
(4) In ACL UI, grant View on the custom field group to this user's ACL role.
(5) Perform an API query accessing a custom field in this custom field group, e.g. civicrm_contact_search() specifying return.custom_N = 1 where N is the id of a field in the custom group.
-> In my case, failed to retrieve the value of the field. (Repeat 4 & 5 to verify the problem.)
(6) Go to Administer -> Custom Data -> View and Edit Custom Fields for relevant group; do a no-op edit on a field in the group.
(7) Repeat step 5:
-> In my case, correctly retrieved the value of the field.
(8) In ACL UI at civicrm/acl?reset=1, click the Disable link for the rule.
(9) Repeat step 5:
-> In my case, incorrectly retrieved the value of the field when user shouldn't have access to it.
(10) Repeat step 6:
-> In my case, now correctly failed to retrieve the value of the field.
Tracked down what step 6 does that makes it work: it calls
CRM_Core_BAO_Cache::deleteGroup( 'contact fields' );
My fix is to add this to CRM_ACL_Form_ACL::postProcess (for edit through ACL form) and CRM_ACL_BAO_ACL::setIsActive (for AJAX enable/disable).
Works here in brief testing so far, should be sanity-checked by team though.
Dave J