Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-7469

Fatal error if a "non-permitted" event or profile is in the requested page

    Details

    • Type: Bug
    • Status: Done/Fixed
    • Priority: Trivial
    • Resolution: Fixed/Completed
    • Affects Version/s: 3.2.3
    • Fix Version/s: 3.4.alpha
    • Component/s: CiviCRM API
    • Labels:
      None

      Description

      Add this to the list of places where calling CRM_Core_Error::fatal() is The Wrong Damn Thing To Do:

      This bug manifests in two ways. Both involve resources that are controlled by the ACL system.

      For events:
      1. Create a private event.
      2. Log in as a user which is not approved for the event.

      You get a fatal() in this case. What you really should get is a 404 or 403 screen.

      For profiles:
      1. Create a profile that is controlled by the ACL system, and for which the user does not have an overriding Drupal role.
      2. Log in as a user that can edit a group of contacts, but does not have access to the profile.
      3. Use the "Batch Update" feature on some contacts in the group.

      You also get a fatal() in this case. Here, the Batch Update needs to check permissions for profiles, and if a given profile is not approved, not allow the feature to deploy that profile.

      It would be nice if there was some better way to panic than fatal(). We use PHP 5 now exclusively; throw an exception and call fatal higher up on the catch() chain, so it's easier for developers to override this behavior, if nothing else.

        Attachments

          Activity

            People

            • Assignee:
              lobo Donald A. Lobo
              Reporter:
              torenware Rob Thorne
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: