Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.2
-
Fix Version/s: 3.2
-
Component/s: CiviCase, Core CiviCRM
-
Labels:None
Description
1. Before loading any activity for EDIT, make sure the user has:
- Permission to Edit that activity (based on having Edit permission on ALL contacts associated with that activity),
AND
- Has permission for the component referenced in the activity type (e.g. access CiviContribute for Contribution activity type because it has CiviContribute as the activity_type.component_id).
NOTE: For CiviCase activities, this means checking for 3 permissions: administer CiviCase OR access all cases and activities OR access my cases and activities.
2. Before loading any activity for VIEW, make sure the user has:
- Permission to View that activity (based on having View permission on ALL contacts associated with that activity),
AND
- Has permission for the component referenced in the activity type (e.g. access CiviContribute for Contribution activity type because it has CiviContribute as the activity_type.component_id).
NOTE: For CiviCase activities, this means checking for 3 permissions: administer CiviCase OR access all cases and activities OR access my cases and activities.
3. For Case Activities :
We should apply extra filter of case specific permissions.
( Inherit code from : http://issues.civicrm.org/jira/browse/CRM-5666 )
( Bug : currently, user can view a case activity via above URLs even if they don't have CiviCase permission )
