Author Topic: Event summary ACL: shows all events when user should see no events (Read 981 times)

davej · December 01, 2011, 10:05:30 am

Hi,

The event summary at /civicrm/event?reset=1 respects ACL hooks in a way that mostly seems correct, however if the user should be able to see NO events, it shows ALL events. Tested in 4.0.7. This seems to be the offending code, in CRM_Event_BAO_Event::getEventSummary():

Code: [Select]

        // get permission and include them here
        // does not scale, but rearranging code for now
        // FIXME in a future release
        $permissions = CRM_Event_BAO_Event::checkPermission( );
        $validEventIDs = '';
        if ( ! empty( $permissions[CRM_Core_Permission::VIEW] ) ) {
            $validEventIDs = 
                " AND civicrm_event.id IN ( " .
                implode( ',', array_values( $permissions[CRM_Core_Permission::VIEW] ) )
                . " ) ";
        }

The following patch appears to fix it...

Code: [Select]

--- CRM/Event/BAO/Event.php.orig        2011-09-23 13:53:11.000000000 +0100
+++ CRM/Event/BAO/Event.php     2011-12-01 17:55:17.000000000 +0000
@@ -384,6 +384,10 @@
                 implode( ',', array_values( $permissions[CRM_Core_Permission::VIEW] ) )
                 . " ) ";
         }
+        else {
+            $eventSummary['total_events'] = 0;
+            return $eventSummary;
+        }
 
         $query = "
 SELECT     civicrm_event.id as id, civicrm_event.title as event_title, civicrm_event.is_public as is_public,

...and it still works correctly when the user has "edit all events" perm (i.e. it shows all events). Anyone see any problems with this - does CRM_Event_BAO_Event::checkPermission returning empty for VIEW always mean the user should not be able to see any events?

Another issue: $eventSummary['total_events'] is set at the beginning of the function, by a query that takes no notice of ACLs.

And another: the Recent Registrations list ignores event ACLs, showing registrations for all events (but I think only showing contacts that the user has permission to view).

Dave J

Donald Lobo · December 01, 2011, 01:00:32 pm

Hey davej:

all the below are valid bugs. Your first patch seems right.

Do you want to take a look at the other two issues and come up with a unified patch for all 3

thanx

lobo

davej · December 02, 2011, 07:57:26 am

Hi Lobo,

Thought you might say that!

I've filed http://issues.civicrm.org/jira/browse/CRM-9258 with a patch for the first two.

I took a look at the code for the third point (Recent Registrations list ignores event ACLs) and tried to work out where to intervene: it's much less obvious than for the summary, as the Recent Registrations list comes via CRM_Core_Controller_Simple, CRM_Event_Form_Search, CRM_Event_Selector_Search, CRM_Core_Selector_Controller, CRM_Contact_BAO_Query and while I was trying to see my way through that lot, it became apparent that for the site where the issue came up, it would actually suit the client quite well to show all registrations by contacts in ACL group X, including ones for events outside X. So I'm reclassifying point 3 as a feature.

Dave J

CiviCRM Community Forums (archive)

News:

Author Topic: Event summary ACL: shows all events when user should see no events (Read 981 times)

davej

Event summary ACL: shows all events when user should see no events

Donald Lobo

Re: Event summary ACL: shows all events when user should see no events

davej

Re: Event summary ACL: shows all events when user should see no events