CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
Pages: [1]

Author Topic: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template  (Read 990 times)

miko

  • I post occasionally
  • **
  • Posts: 75
  • Karma: 2
  • CiviCRM version: 3.4.5
  • CMS version: Drupal 6.22
  • MySQL version: 5.0.77
  • PHP version: 5.2.11
CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 11, 2011, 10:00:40 pm
I've just upgraded to CiviCRM 3.4.1.  I am wondering if that's what caused what I'm describing here.

If you refer to

Re: Trying to print CiviCRM_Address fields for Contact Refernce Via a NODE
(http://forum.civicrm.org/index.php/topic,19637.msg81734.html#msg81734)

You will see that at one point I found a solution for printing CiviCRM fields in a content node by adding php to the content template that reference api.php the civicrm_api() "get" function.

I got this working for anonymous users WITHOUT giving them access to "View ALL contacts" in Drupal Permissions by creating a "Public Sports Data" group and then adding sports contacts to it (coaches and facilities).

Two things definitely are working:

1.  the fields print in the content node when logged in as anyone with "view all contacts" privileges - but this was not necessary before today.
2.  the ACL rules in CiviCRM are WORKING when an anonymous user accesses the CiviCRM contact page directly:

      *  e.g. http://soncnv.webfactional.com/civicrm/contact/view?reset=1&cid=4

They cannot see all contacts, but CAN see the Contacts in the Public Sports Data Group.  So on the CiviCRM side, the ACL and group are set up and connected properly.

So specifically, it seems that - maybe- the api has changed and no longer provides information using ACL rules but only Drupal permissions?  Which, I'm pretty sure was not the case in 3.3.6.

Since an Admin user always sees the CiviCRM data perfectly, and so does any user were I set "see all contacts", it's definitely an issue of Drupal Permissions now overriding the CiviCRM ACL, but ONLY within a a content node, or template, or php.

I've cleared EVERY cache- site cache, views cache.

What I NEED to do is to show contact data in a Drupal node because I don't want anonymous users to go to /civicrm/contact/view?reset=1 because those screens expose WAY too much data that we don't need site visitors to see.

** ANY HELP APPRECIATED GREATLY.

If you want the full code for reference, please see:
http://forum.civicrm.org/index.php/topic,19637.msg81734.html#msg81734

THANKS!  Merci Beaucoup.


Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 12, 2011, 12:35:30 am
Hi,

try adding as a param 'check_permissions' = FALSE
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

Erik Hommel

  • Forum Godess / God
  • I live on this forum
  • *****
  • Posts: 1773
  • Karma: 59
    • EE-atWork
  • CiviCRM version: all sorts
  • CMS version: Drupal
  • MySQL version: Ubuntu's latest LTS version
  • PHP version: Ubuntu's latest LTS version
Re: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 12, 2011, 12:37:27 am
I was just going to mention the same....but Eileen beat me to it :-)
Consultant/project manager at EEatWork and CiviCooP (http://www.civicoop.org/)

miko

  • I post occasionally
  • **
  • Posts: 75
  • Karma: 2
  • CiviCRM version: 3.4.5
  • CMS version: Drupal 6.22
  • MySQL version: 5.0.77
  • PHP version: 5.2.11
Re: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 12, 2011, 06:10:56 pm
Thanks Eileen, where do I add that?

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 12, 2011, 06:11:59 pm
ie. add it as a field on the array you pass into the api call
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

miko

  • I post occasionally
  • **
  • Posts: 75
  • Karma: 2
  • CiviCRM version: 3.4.5
  • CMS version: Drupal 6.22
  • MySQL version: 5.0.77
  • PHP version: 5.2.11
Re: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 12, 2011, 06:44:41 pm
Beautiful!  It works now. 

$xcoach = civicrm_api("Contact","get", array ('version' =>'3', 'contact_id' => $xcoach_id, 'check_permissions' => false));

But when there are a lot of arrays, it's a lot of extra typing.

From this issue log, I'm seeing that apparently the programmers recently decided to force people to more proactively control what anonymous users can see:

http://issues.civicrm.org/jira/browse/CRM-8061

:(

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 12, 2011, 07:43:57 pm
It's under active discussion!

However, if we change it back (next week for example) & only make the new permissioning apply to REST it won't break again
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

miko

  • I post occasionally
  • **
  • Posts: 75
  • Karma: 2
  • CiviCRM version: 3.4.5
  • CMS version: Drupal 6.22
  • MySQL version: 5.0.77
  • PHP version: 5.2.11
Re: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 12, 2011, 07:47:51 pm
Thanks for you quick replies today Eileen!

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template
May 13, 2011, 12:16:24 am
Hi,

We came to the conclusion that having to add 'check_permissions' => false to all the php calls wasn't useful, and reverted to the previous behaviour (don't check the permission in the php code).

http://civicrm.org/API_permission

Please comment and join the discussion.

I'm trying to commit a fix today, but will have to travel soon. Someone in the A Team will come.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • CiviCRM 3.4.1 ACL Is Now Ignored When Calling API Via PHP in Content Template

This forum was archived on 2017-11-26.