Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.2
-
Fix Version/s: 3.2
-
Component/s: Core CiviCRM
-
Labels:None
Description
The rewrite on CRM_Activity_BAO_Activity::getActivities dropped the logic which prevented users from seeing Contribution activities if they didn't have 'access CiviContribute' permission. We need to re-instate that filter. Lobo suggests collecting the allowed component ID's for the logged in user and then adding a filter like this:
WHERE ... activity_type.component_id IN($permittedComponentIDs)
This will ensure that users who don't have access to any specific component (e.g. contribute, membership, event...) will not see related activity records in the selector.
NOTE: For CiviCase activities, this means checking for 3 permissions: administer CiviCase OR access all cases and activities OR access my cases and activities.
NOTE: Not sure if this problem exists in 3.1? If so, let's fix in 3.2 and then potentially backport depending on complexity.
Attachments
Issue Links
- is supplemented by
-
-
- Done/Fixed
-