Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-9258

CiviEvent dashboard summary ACL: shows all events when user should see no events, incorrect total_events

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Minor
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.0.7
          • Fix Version/s: 4.1.0
          • Component/s: CiviEvent
          • Labels:
            None

            Description

            See http://forum.civicrm.org/index.php/topic,22488.0.html

            As a user without "edit all events" or "view event participants", with no ACLs for events in place from the UI...

            (1) The event summary at /civicrm/event?reset=1 respects ACL hooks in a way that mostly seems correct: e.g. if hook_aclGroup allows access to 1 event, then that 1 event shows in the summary. However if the user should be able to see NO events, the summary shows ALL events.

            (2) The value for $eventSummary['total_events'] calculated and passed to the template ignores ACLs. This could cause pager problems.

            The attached patch against 4.0.7 addresses both issues. Works for me but should be QA'd.

              Attachments

                Activity

                  People

                  • Assignee:
                    lobo Donald A. Lobo
                    Reporter:
                    davej Dave Jenkins
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    0 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: