CiviCRM Community Forums (archive)

Hi,

I'm just looking at some code written by someone else to integrate with CiviCRM. It is using an API function to search contacts but the API isn't respecting ACLS (or multisite-ness) and doesn't look like it is supposed to.

Is there a search function that does? The AJAX contactlist function does but it relies on browser variables.

What user are you using for the api call? The same as the end user that sees less contacts ?

Could you try using the ajax interface to test/debug when connected as a ACL limited user ?

http://en.flossmanuals.net/CiviCRM/DevelopAPI

OK, so talking to Lobo on IRC I believe that the module I have attached *should* return different results for my admin user (who finds hundreds of contact when she searches in civicrm) and my tester user (who only sees 2 contacts due to not have 'view all contacts' but having been given access (via CiviCRM ACL to view the members of one group)

However, when I install the module & hit the URL <sitename>/contactapisearch I see the same 25 contacts whether I am logged in as the user who can see lots of user  in CiviCRM or as the user who can only see 2

What do you get when you ajax search as the non admin user ?
/civicrm/ajax/rest?fnName=civicrm/contact/search&json=1&sort_name=

(p.s you .module file is empty)

Ok so I reattached the modules on the last post. The behaviour I am seeing is the same through AJAX and allows my test user to see contacts they otherwise can't (I'm hoping I'm doing something wrong - otherwise this would seem to be a bit of a major security issue)

I am testing on two sites one is 3.0.2 and the other is 3.1.4. The 3.0.2 version is pretty much out of the box whereas the 3.1.4 has multisite enabled and a few patches applied but the behaviour is the same on both

The test user has pretty broad permissions via drupals and perhaps this is where we are going wrong. They have all civicrm permissions via drupal except: view all contacts & edit all contacts (and in the multisite they don't have administer multisite).

The test user has been given permission to view 2 contacts through ACL and these are the only ones they can access through CiviCRM interface but if they hit the REST URL they seem to be able to view all users.

aargh will re-zip.

However, the behaviour is the same using the AJAX interface  - ie. my user who can see two users through the CiviCRM interface can see all users using the ajax URL posted by Xavier.:: /civicrm/ajax/rest?fnName=civicrm/contact/search&json=1&sort_name=%

the api search is a wrapper around the apiQuery that looks like it's a wrapper around the BAO query. No idea why the ACL isn't applied.

Could you recreate on demo your group ACL configuration ? Seems that we will need someone from the core to help the investigation.

CRM/Contact/BAO/Query.php

    static function apiQuery( $params = null,
                              $returnProperties = null,
                              $fields = null,
                              $sort = null,
                              $offset = 0,
                              $row_count = 25,
                              $smartGroupCache = true )
    {
        $query = new CRM_Contact_BAO_Query( $params, $returnProperties,
                                             null, true, false, 1,
                                             false, true, $smartGroupCache );


IMO, should be seen as a security vulnerability, not as a feature.

By introducing the ACL in the query, you don't break compatibility, you fix a bug. If you need to get access to all the contacts from your rest api (or any of the way of accessing the api), simply use a user that has the right permissions.

Eileen, if you find the time to see what is the performance cost of introducing the api, I'd be very interested to see the result.

X+