Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.2.5, 3.3.0
-
Fix Version/s: 3.3.0
-
Component/s: None
-
Labels:None
Description
When a report class defines $_customGroupExtends and includes custom fields in Display Columns / Filters - users' permissions to access that custom data set should be checked and the fields should NOT be included if the user doesn't have access.
To recreate the bug:
- Modify sample custom data field - Donor Info->How Long Have You Been a Donor so that the field Is Searchable.
- Create a Drupal role that has access CiviReport, access CiviContribute, view all contacts. BUT role does NOT have 'access all custom data'
- Log in as that role and view or edit a contribution record. The Donor Info custom data set is NOT shown.
- Now go to Donor Report (Detail)
- The custom data set IS included in Display Columns and Filters AND values can be viewed on the report.