Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.2, 3.2.1, 3.2.2, 3.2.3
-
Fix Version/s: 3.2.4
-
Component/s: Core CiviCRM
-
Labels:None
Description
Currently a user who has 'delete contacts' permission but does NOT have 'access deleted contacts' still sees the 'Delete Permanently' action in search results 'actions' drop down. This is incorrect. Only users with 'access deleted contacts' should be able to permanently delete contacts.
---- Original Post from Brian S ----
there are two permissions impacting contact deletion –
delete contacts
access deleted contacts
the latter is intended, at least in part, to restrict the ability to permanently delete contacts. it does hide the ability to search for deleted contacts in advanced search. however, if a search is run, the ability to delete permanently from the search result action dropdown is still present – suggesting the user may still delete permanently... skipping the trash function.
either that second permission needs to completely restrict ability to delete permanently, or a new permission should be constructed that restricts the ability to delete permanently. current behavior leaves a pretty big hole for data loss by lower permissioned users.