CiviCRM Community Forums (archive)

This is a follow on from this
http://forum.civicrm.org/index.php/topic,21126.0.htm

but I thought I would start a new topic since this is a slightly different issue (potential bug?)

I have successfully implemented the aclWhereClause hook the restrict a user to a certain subset of contacts (based on a custom field in both the user and contacts). The user has the following drupal privileges:
Profile View
Access All Custom Data
Access CiviContribute
Access CiviMail
Access CiviMember
Access CiviReport
Access CiviCRM
Access Contact Dashboard

When the user logs in, they can search for contacts, but the only results are the ones that are displayed are those that the user has permission to access. The only problem is that the user has the ability to EDIT all of these contacts which I want to restrict.

So I made two ACLs using the UI.
1) "Users with Edit Permission" (Role) can "Edit" (Operation) can edit "All Groups" (Data).
2) "Users with View Permission" (Role) can "View" (Operation) can edit "All Groups" (Data).

I put my user in the 'Users with View Permission' and logged in again. This time, when the search results are displayed, there is only a View label on the right hand side of each contact, instead of View | Edit which I had before - so it looks like it is working. However, if I click on any contacts name, I am presented with their contact summary and an EDIT button at the top allowing me to edit.

As a test, I created another user, gave them the same drupal permissions, and put them in the same 'Users with View Permission' group. I didn't assign them a custom field limiting them to a subset of contacts, so the aclWhereClause hook doesn't do anything with this user. I can now view all the contacts in the database, but the edit button doesn't appear anywhere.

So it seems that the aclWhereClause hook overrides my UI ACL to restrict the user to View Only - and I have no idea how to solve this. I know the aclWhereClause has a $type that dictates what permission level the user must have, but I have no idea where it checks the type against a logged in users permission level.

This is an absolutely essential part of my implementation. We could have several hundred users, and I need to be able to restrict them to being able to view only the contacts in one of a over a hundred groups. Using the UI ACL interface to do this will be too cumbersome.

Any thoughts?

If it is a bug, I am sure I could get some funding to help with the solution.

Brian

Yes it does. And I am able to make changes and save them to the db.

Thanks Lobo - I think I have simplified it as much as I can without taking anything away from the operation of the hook. Love to hear what you think.

<?php

// Restrict the list of contacts that logged in users are able to view
function nbla_hooks_civicrm_aclWhereClause( $type, &$tables, &$whereTables, &$contactID, &$where ) {

// Table tracking custom permissions
$permissionTable = "civicrm_value_permissions";

// Table tracking custom constituent info
$groupTable = "civicrm_value_regions";

// List of different geographic permission types
$permissionFieldsType = array( 'provincial_riding' => 'Integer',
                     'commission' => 'Integer');
$permissionFields = array( 'provincial_riding',
                     'commission');

// List of different geographic trackers  
$groupFields = array( 'official_provincial_riding',
                     'commissions');

// Find the values association with the different permission types
$keys = implode( ', ', array_keys( $permissionFieldsType ) );
   $sql = "SELECT $keys FROM {$permissionTable} WHERE  entity_id = $contactID";

        $dao = CRM_Core_DAO::executeQuery( $sql, CRM_Core_DAO::$_nullArray );

        if ( ! $dao->fetch( ) ) {
            return;
        }

// Join the necessary tables to execute query
        $tables[$groupTable] = $whereTables[$groupTable] = "LEFT JOIN {$groupTable} groupTable ON contact_a.id = groupTable.entity_id";

// Create search clauses based on permissions
        $clauses = array( );
        foreach( $permissionFieldsType as $field => $fieldType ) {
            $i = 0;
    if ( ! empty( $dao->$field ) ) {
                if ( strpos( CRM_Core_DAO::VALUE_SEPARATOR, $dao->$field ) !== false ) {
                    $value = substr( $dao->$field, 1, -1 );
                    $values = explode( CRM_Core_DAO::VALUE_SEPARATOR, $value );
                    foreach ( $values as $v ) {
        $clauses[] = "groupTable.{$groupFields[$i]} = $v";
                    }
                } 
                else {
                 $clauses[] = "groupTable.{$groupFields[$i]} = '{$dao->$field}'";
                }
            }
    $i++;
        }

// Turn clause into where statement
if ( ! empty( $clauses ) ) {
            if ( ! empty( $where ) ) {
                $where .= ' AND '.implode( ' OR ', $clauses ).'';
         }
    else {
        $where .= ' '.implode( ' OR ', $clauses ).'';
    }
}
}

thanx for posting, i was just starting to reproduce and figure this one out.

yes, if you could blog about the process and update the wiki docs that would be great and highly appreciated

lobo