Author Topic: User can edit groups, without that permission (Read 1261 times)

websynapse · December 13, 2009, 02:56:50 pm

I have a Drupal role set up with the CiviCRM module 'edit groups' permission unchecked. My test user only has that role.

When they go to Manage Groups, they can see all the disabled groups and have these options: Members | Settings | Enable | Disable | Delete

When they enable a disabled group, the only option they have is Members.

Why can they see all the options?

Dave Greenberg · December 14, 2009, 02:15:02 pm

First, make sure that your 'authenticated' role doesn't have 'edit groups' permission. This caught me up when trying to replicate your issue on my local sandbox - the role I was testing didn't have 'edit groups', but the 'authenticated' role did - and authenticated permissions cascade to all roles except anonymous.

Once I fixed that issue, it looks like this problem doesn't occur in 3.0. For users w/o 'edit groups':
- the 'Manage Groups' navigation menu is disabled
- they get 'Access Denied' if they go directly to the url - http://..../civicrm/group?reset=1

websynapse · December 14, 2009, 04:17:26 pm

The 'authenticated' role definitely doesn't have that permission.

Seems like a bug as it shouldn't really have Enable AND Disable.

I guess we'll wait for the upgrade... *sigh*

thanks

CiviCRM Community Forums (archive)

News:

Author Topic: User can edit groups, without that permission (Read 1261 times)

websynapse

User can edit groups, without that permission

Dave Greenberg

Re: User can edit groups, without that permission

websynapse

Re: User can edit groups, without that permission