Details
-
Type:
Patch
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.2.4
-
Fix Version/s: 3.3.beta
-
Component/s: Core CiviCRM
-
Labels:None
Description
Based on forum post here: http://forum.civicrm.org/index.php/topic,16387.msg70420.html
Short explanation:
When an ACL is applied to group of contacts "All groups", no checking is done to compare the requested operation with the granted operation; instead, any operation is granted, as if "All" had been defined in the ACL configuration, even when it was not.
Use case:
Grant "view-only" access to all contacts for a group of users, without relying on Drupal permission "view all contacts". (In our case this is required because we have a particular group of contacts who are off-limits to most users, but all other contacts should be viewable to view-only users.) It would seem this could be done this way:
- create a user with only "access CiviCRM" Drupal permission
- create "View only" group, attach that group to "View only" ACL role
- create an ACL granting "View" operation to "View only" role for group of contacts: "All groups"
Expected behavior:
The user should be able to view – and only view – all contacts.
Actual behavior:
The user will have "All" access to the contacts: edit, delete, etc.
Application to other use cases:
From the looks of the code, It appears this behavior is not limited to cases where "View" operation is assigned. It appears that any ACL applied to group of contacts "All groups" will grant "All" operation to the user.