CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviCase (Moderator: Dave Greenberg) »
  • Code for case "more" links check non-existent permission "edit cases"
Pages: [1]

Author Topic: Code for case "more" links check non-existent permission "edit cases"  (Read 1112 times)

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Code for case "more" links check non-existent permission "edit cases"
June 28, 2011, 09:52:02 am
Hi,

The presenting problem (in 3.4.1, code seems the same in 3.4.4) was that in the My Cases / All Cases listings on the case dashboard, the "more" link brought up an empty list, except for uid 1 where the list had "Assign to Another Client". I tracked this down to CRM_Case_BAO_Case::getCases, around line 732:

Code: [Select]
        // check is the user has view/edit signer permission
        $permissions = array( CRM_Core_Permission::VIEW );
        if ( CRM_Core_Permission::check( 'edit cases' ) ) {
            $permissions[] = CRM_Core_Permission::EDIT;
        }
        if ( CRM_Core_Permission::check( 'delete in CiviCase' ) ) {
            $permissions[] = CRM_Core_Permission::DELETE;
        }
        $mask = CRM_Core_Action::mask( $permissions );

The permission 'edit cases' is not defined by CiviCRM. These are all the occurrences of 'edit cases' in the Civi tree:

./CRM/Case/Task.php:             || CRM_Core_Permission::check( 'edit cases' ) ) {
./CRM/Case/Selector/Search.php:         if ( CRM_Core_Permission::check( 'edit cases' ) ) {
./CRM/Case/BAO/Case.php:        if ( CRM_Core_Permission::check( 'edit cases' ) ) {

CRM_Case_Info::getPermissions just has:

Code: [Select]
    public function getPermissions()
    {
        return array( 'delete in CiviCase',
                      'administer CiviCase',
                      'access my cases and activities',
                      'access all cases and activities' );
    }

Adding 'edit cases' here and granting to the appropriate roles allows the "Assign to Another Client" link to appear.

It also seems like a UI glitch that  the "more" link appears but brings up an empty list when there are no actions to show.

Dave J

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: Code for case "more" links check non-existent permission "edit cases"
June 28, 2011, 11:39:08 am
Dave - this code is referencing a permission that was obsoleted when "my cases" vs. "all cases" was introduced. Can you file an issue for this with a patch. You can replace the 'edit cases' permission references with 'access my cases and activities' || 'access all cases and activities'.
Protect your investment in CiviCRM by  becoming a Member!

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Re: Code for case "more" links check non-existent permission "edit cases"
June 29, 2011, 10:40:09 am
Hi Dave,

In CRM/Case/BAO/Case.php getCases(), we have variable $allCases so I've done this:

Code: [Select]
--- Case.php.orig       2011-06-12 17:15:28.000000000 +0100
+++ Case.php    2011-06-29 17:41:23.000000000 +0100
@@ -731,7 +731,8 @@
         
         // check is the user has view/edit signer permission
         $permissions = array( CRM_Core_Permission::VIEW );
-        if ( CRM_Core_Permission::check( 'edit cases' ) ) {
+        if ( CRM_Core_Permission::check( 'access all cases and activities' ) ||
+             (!$allCases && CRM_Core_Permission::check( 'access my cases and activities' )) ) {
             $permissions[] = CRM_Core_Permission::EDIT;
         }
         if ( CRM_Core_Permission::check( 'delete in CiviCase' ) ) {

In CRM/Case/Selector/Search.php getRows(), it's not clear whether 'access all cases and activities' or 'access my cases and activities' is appropriate, as it will depend on the cases being retrieved. Should the permissions mask therefore be calculated separately per case, using the 'all' or 'my' permission depending on whether the case belongs to the user?

In CRM/Case/Task.php permissionedTaskTitles(), accept either permission?

Dave J

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: Code for case "more" links check non-existent permission "edit cases"
June 29, 2011, 12:32:04 pm
Hi Dave - Did some tests to verify that CRM_Case_Selector_Search::getRows only spits out cases the current user is allowed to see (based on all vs my cases permissions). So I think it's safe to replace 'edit case' with  'access my cases and activities' || 'access all cases and activities' in the method.

Your fix for getCases() looks good to me. And I think the OR permission above is also fine for Task.php (we just want to make sure folks w/o 'delete in CiviCase' can not delete (which is working properly currently).
Protect your investment in CiviCRM by  becoming a Member!

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Re: Code for case "more" links check non-existent permission "edit cases"
July 01, 2011, 08:30:38 am
Hi Dave,

Thanks, I've submitted issue CRM-8411 with patch.

Dave J
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviCase (Moderator: Dave Greenberg) »
  • Code for case "more" links check non-existent permission "edit cases"

This forum was archived on 2017-11-26.