CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • Relationships tab doesn't respect ACLs
Pages: [1]

Author Topic: Relationships tab doesn't respect ACLs  (Read 1653 times)

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Relationships tab doesn't respect ACLs
October 20, 2011, 11:43:29 am
Hi,

I have an ACL hook in place to restrict access to contacts. This works fine but when viewing the Relationships tab on contact summary, all related contacts are shown, regardless of whether the user is permitted by the ACL hook to see them. Their email, phone etc appear and the contact name links to contact view, but clicking on it gives access denied. Seems like a bug to me.

The code involved seems to be CRM_Contact_Page_View_Relationship::browse(), which calls CRM_Contact_BAO_Relationship::getRelationship, which doesn't seem to be ACL-aware.

(Edit 24 Oct 16:40 BST:)
It would be useful to have an opinion from the core team as to whether this behaviour is regarded as clearly wrong & so needing fixing in core, or whether it's intended / desired for some use cases. Obviously I'm expecting "please contribute a patch if it's important to your use case" ;-) but what I'm trying to get straight first is whether changing the behaviour in core is the correct thing to do.

Dave J
« Last Edit: October 24, 2011, 08:41:11 am by davej »

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Relationships tab doesn't respect ACLs
October 27, 2011, 08:38:41 pm

oops. i did check this when i saw it, but the sprint distracted me :(

it is a bug and should be fixed. You know the rest of the drill :)

lovo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Re: Relationships tab doesn't respect ACLs
October 31, 2011, 03:10:07 am
Thanks for confirming. How many hours would you estimate?

Dave J

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Relationships tab doesn't respect ACLs
October 31, 2011, 07:56:41 am

I suspect 10 hours or so including writing a test to ensure it works. The test might take a bit/lot more than 10 hours, since there might be some ACL infrastructure stuff to add to tests

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Re: Relationships tab doesn't respect ACLs
December 12, 2011, 01:53:13 pm
Hi Lobo,

I've come up with one way of doing this, not sure whether it's a good way. I was struggling to see how CRM_Contact_BAO_Relationship::getRelationship can be made ACL-aware without a complete rewrite. The ACL code that I've seen for contacts uses CRM_ACL_BAO_ACL::whereClause, which IIUC assumes the query is being constructed with CRM_Contact_BAO_Query or similar, which it isn't. So what I've done is a sneaky subquery that does a simple ACL'd query to get the contact ids of contacts the user may view. Not the most elegant or, I suspect, efficient approach but, in early testing, seems to produce the right results on the relationships tab.

CRM_Contact_BAO_Relationship::getRelationship is called in over a dozen other places in the code base so this has the potential to bring ACL-flavoured good or harm to them all! Would need to review whether ACLs should be applied in each of these contexts.

Patch attached, needs much more testing and vetting for general sanity.

Dave J

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Relationships tab doesn't respect ACLs
December 12, 2011, 04:24:16 pm

hey dave:

do u want to file an issue for this for 4.2 and attach the patch. I suspect we'll look at it at that point. a bit slammed now with the sprint and 4.1 release

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Re: Relationships tab doesn't respect ACLs
December 13, 2011, 03:33:17 am
Hi Lobo,

Filed http://issues.civicrm.org/jira/browse/CRM-9335 with patch. Hope the sprint's going well.

Cheers,

Dave J
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • Relationships tab doesn't respect ACLs

This forum was archived on 2017-11-26.