Author Topic: Basic ACL question, please help! (Read 1512 times)

David L · July 06, 2010, 10:45:00 am

So I have two Access Control Groups set up, one is Chief Admins, which have edit permissions on all contacts, and one is the Volunteer Admin Team which only have permissions to see and edit contacts in the Volunteers group.

The problem is that a staff member on the Volunteer Admin Team can log in, open her own contact record, click on Groups and add herself to the Chief Admins Access Control group, giving her instant access to everything!

What am I doing wrong here?

xcf33 · July 06, 2010, 11:04:58 am

Hi, I believe the answer is in

http://wiki.civicrm.org/confluence/display/CRMDOC/Drupal+Access+Control

Set up Drupal Access Permission for the 2 roles first then define your ACL.

In this case, maybe both roles in Drupal have "administer CiviCRM" or "edit all contacts" enabled

Hope it helps!

David L · July 06, 2010, 11:09:32 am

I don't think that is the problem, here are current drupal permissions allowed for Authenticated users:

access CiviCRM
access CiviContribute
access CiviEvent
access CiviMail
access CiviMail subscribe/unsubscribe pages
access CiviPledge
access CiviReport
access Contact Dashboard
access Report Criteria
access all custom data
access uploaded files
add contacts
delete contacts
edit all events
edit contributions
edit event participants
edit pledges
make online contributions
profile listings and forms
view event info
view event participants

Donald Lobo · July 06, 2010, 11:35:11 am

1. i would recheck the acl's u have on the volunteer admin

2. ensure that the user is also not in the chief admin group

3. check the other acl roles/groups the person is possibly in and then check the corresponding acls

lobo

David L · July 06, 2010, 11:47:31 am

There are only two ACL's set in the system.

a) Chief Admins role > Edit permissions > All Groups
b) Volunteers Admins > Edit permissions > Volunteers

That's it. The staff members in question are only part of the Volunteer Admins group and no other groups, yet they can still add themselves to the Chief Admins group.

ctarascio · July 06, 2010, 12:19:20 pm

David,
Are you sure that the permissions for the Volunteer Admin role do not include the "edit groups" permission? It sure sounds like it does. can you recheck please?

Cynthia

David L · July 06, 2010, 12:42:20 pm

Cynthia,

I assume you are referring to the drupal 'edit groups' permission. It is not enabled.

Have a look at screenshots below to see current Drupal settings and current CiviCRM ACL settings.
http://yjpinterns.com/drupal%20permissions.jpg
http://yjpinterns.com/civicrm%20acl.jpg

Ideas?

David L · July 06, 2010, 01:21:43 pm

GOT IT!

The HRD module http://svn.civicrm.org/hrd/trunk/drupal/hrd.module was causing this.

Thanks for all your help! Hopefully, this thread will one day prevent another HRD module user from wasting three hours of his time

FrTommy · August 26, 2010, 05:21:28 am

The exact same thing is happening to me and I don't have this HRD module you speak of.

I have Access Control Groups: Administrator which can edit everything and then I have Editor which can edit contacts and add to Mailing List Groups but not add or remove a user from an Access Control Group.

I cannot get this to work.....What's going on? Shouldn't an Admin be the only one that can add or remove a user from an Access Control Group?

FrTommy · August 26, 2010, 06:04:30 am

Ok I finally figured it out.

Apparently you have to uncheck View All Contacts in Drupal in order to prevent a user from editing the Access Control Groups. I also used the code

Code: [Select]

/**
 * Implementation of hook_civicrm_aclGroup()
 *
 * Hides access to the specified groups
 */
function fooModule_civicrm_aclGroup( $type, $contactID, $tableName, &$allGroups, &$currentGroups ) {

    if ($tableName != 'civicrm_saved_search') {
        // this hook (according to the docs) also runs for events and profiles, but we only need it for groups
        return;
    }

    /* Hide access to some groups
     */
    static $blockedGroupIds = array(7, 12, 15); //Enter your groups that you don't want a user to have access to here.

    foreach ($blockedGroupIds as $groupId) {
        if ( FALSE !== $index = array_search($groupId, $currentGroups) ) {
            unset($currentGroups[$index]);
        }
    }

}

CiviCRM Community Forums (archive)

News:

Author Topic: Basic ACL question, please help! (Read 1512 times)

David L

Basic ACL question, please help!

xcf33

Re: Basic ACL question, please help!

David L

Re: Basic ACL question, please help!

Donald Lobo

Re: Basic ACL question, please help!

David L

Re: Basic ACL question, please help!

ctarascio

Re: Basic ACL question, please help!

David L

Re: Basic ACL question, please help!

David L

Re: Basic ACL question, please help!

FrTommy

Re: Basic ACL question, please help!

FrTommy

Re: Basic ACL question, please help!