Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.2.3
-
Fix Version/s: 3.4.alpha
-
Component/s: CiviCRM API
-
Labels:None
Description
Add this to the list of places where calling CRM_Core_Error::fatal() is The Wrong Damn Thing To Do:
This bug manifests in two ways. Both involve resources that are controlled by the ACL system.
For events:
1. Create a private event.
2. Log in as a user which is not approved for the event.
You get a fatal() in this case. What you really should get is a 404 or 403 screen.
For profiles:
1. Create a profile that is controlled by the ACL system, and for which the user does not have an overriding Drupal role.
2. Log in as a user that can edit a group of contacts, but does not have access to the profile.
3. Use the "Batch Update" feature on some contacts in the group.
You also get a fatal() in this case. Here, the Batch Update needs to check permissions for profiles, and if a given profile is not approved, not allow the feature to deploy that profile.
It would be nice if there was some better way to panic than fatal(). We use PHP 5 now exclusively; throw an exception and call fatal higher up on the catch() chain, so it's easier for developers to override this behavior, if nothing else.