CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Multi-Site functionality »
  • Multi-Org segregation failures: Administer CiviCRM shortcuts custom group ACL
Pages: [1]

Author Topic: Multi-Org segregation failures: Administer CiviCRM shortcuts custom group ACL  (Read 2301 times)

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Multi-Org segregation failures: Administer CiviCRM shortcuts custom group ACL
February 17, 2010, 11:24:37 am
Elaborating on issue discussed in Multi-Org: Summary of data segregation failures:

From that topic:
----8<----
Administer CiviCRM perm shortcuts custom group ACL: see CRM_Core_Permission::customGroup line 127:

Code: [Select]
        // check if user has all powerful permission
        // or administer civicrm permission (CRM-1905)
        if ( self::check( 'access all custom data' ) ||
             self::check( 'administer CiviCRM' ) ) {
            return array_keys( $customGroups );
        }

- This is not good; L2 admins need 'administer CiviCRM' but should not see custom groups that are ACL'd for other sites only.
----8<----

Subsequent IRC discussion:

Feb 17 17:15:15 <davej_>   Great. Finally: Administer CiviCRM perm shortcuts custom group ACL
Feb 17 17:16:21 <davej_>   A quick hack comes to mind: check for multisite being on & if so, check "administer multi orgs" instead. Any good?
Feb 17 17:16:45 <davej_>   - in CRM_Core_Permission::customGroup line 127 ish
Feb 17 17:18:09 <dlobo>   yeah, we can do that
Feb 17 17:18:12 <dlobo>   that seems reasonable

Thinking about this further, I'm not sure why 'administer CiviCRM' (or indeed 'administer Multiple Organizations') should shortcut permissions in this way. If a user needs to bypass ACL for custom groups, they should be given 'access all custom data' perm, shouldn't they? OK, I've just read CRM-1905. Not entirely won over, but I'd be happy with either:

(1) If CIVICRM_MULTISITE is on, don't let 'administer CiviCRM' override ACL

or:

(2) If CIVICRM_MULTISITE is on, let 'administer Multiple Organizations' override ACL instead of 'administer CiviCRM'

- (1) makes more sense to me.

Dave J

Deepak Srivastava

  • Ask me questions
  • ****
  • Posts: 677
  • Karma: 65
Re: Multi-Org segregation failures: Administer CiviCRM shortcuts custom group ACL
February 19, 2010, 02:46:38 am
Made a fix here - http://fisheye2.atlassian.com/changelog/CiviCRM?cs=26326. Now hook is called in any case.

Can you verify if patch works for you ?
« Last Edit: February 19, 2010, 02:52:53 am by Deepak Srivastava »
Found this reply helpful? Contribute NOW and help us improve CiviCRM with the Make it Happen! initiative.

Deepak Srivastava

  • Ask me questions
  • ****
  • Posts: 677
  • Karma: 65
Re: Multi-Org segregation failures: Administer CiviCRM shortcuts custom group ACL
February 19, 2010, 07:30:42 am
Quote
(06:38:01  IST) deepaks: doesn't the new fix allow ACL-UI override ?
(06:38:54  IST) davej_: Doesn't seem to: users with administer CiviCRM still see all custom groups, e.g. on contact view.
(06:39:23  IST) davej_: Turn off administer CiviCRM  -> only the ACL'd custom groups are visible.
(06:39:37  IST) davej_: I cleared civicrm_cache & _acl_cache

Here is another fix - http://fisheye2.atlassian.com/changelog/CiviCRM?cs=26332 using your suggestion.
Found this reply helpful? Contribute NOW and help us improve CiviCRM with the Make it Happen! initiative.

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Re: Multi-Org segregation failures: Administer CiviCRM shortcuts custom group ACL
February 19, 2010, 07:53:44 am
Hi Deepak,

Quote from: Deepak Srivastava on February 19, 2010, 07:30:42 am
Here is another fix - http://fisheye2.atlassian.com/changelog/CiviCRM?cs=26332 using your suggestion.

Thanks, that's working here. :)

Dave J
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Multi-Site functionality »
  • Multi-Org segregation failures: Administer CiviCRM shortcuts custom group ACL

This forum was archived on 2017-11-26.