CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviReport (Moderator: Dave Greenberg) »
  • Custom field ACLs in CiviReport
Pages: [1] 2

Author Topic: Custom field ACLs in CiviReport  (Read 3080 times)

adharris

  • I’m new here
  • *
  • Posts: 14
  • Karma: 0
  • CiviCRM version: 3.4
  • CMS version: Drupal 6
  • MySQL version: dunno 5.something?
  • PHP version: 5.2
Custom field ACLs in CiviReport
May 07, 2012, 11:22:07 am
I created a new report from the activity template and included a bunch of custom fields that are on one of our activity types.  When I released this report to our users, only the administrators could see the custom fields.

I tracked the problem down to our ACL set up.  As it stands, our admins are the only ones with the "access all custom data" permission.  Other users get access to a subset of the custom field groups via ACLs.  It seems that CiviReport only allows custom data to be included in reports if the user has "access all custom data", and never checks ACLs.  I tracked down the code that does this:

from CRM/Report/Form.php:
Code: [Select]
    // do not allow custom data for reports if user don't have
    // permission to access custom data.
    if (!empty($this->_customGroupExtends) && !CRM_Core_Permission::check('access all custom data')) {
      $this->_customGroupExtends = array();
    }

Which just wipes out custom fields if the user doesn't have 'access all custom data'.

It seems that it would be more correct to have only custom field sets that the user has rights to see show up in the reports.  I'm thinking the following changes are what needs to happen to do this:
  • If the user does not have access all custom data, load all custom field groups for the entity types specified in _customGroupExtends
  • For each custom group, check ACLs and make a list of the ones the user has rights to see
  • Change the report's form generation so that the custom fields are generated based on the above list as opposed to all field groups

1 and 2 seem easy, but I'm not sure how to approach 3.  Also, if changes are made to the default report template, what happens to any existing saved reports?  Any thoughts?

Michael McAndrew

  • Forum Godess / God
  • I live on this forum
  • *****
  • Posts: 1274
  • Karma: 55
    • Third Sector Design
  • CiviCRM version: various
  • CMS version: Nearly always Drupal
  • MySQL version: 5.5
  • PHP version: 5.3
Re: Custom field ACLs in CiviReport
May 28, 2012, 09:22:26 am
Indeed it seems like custom data ACL is not implemented in CiviReport :(  Just came up against this problem

This is a pain point for us in one installation since we would need to give the person permission to access all custom data in order for them to see this one column, and there is lots of custom data that we don't want them to see.

A work around (which we will implement) is to manually add the column you need into the query with some SQL (rather than by the normal custom data method).


Service providers: Grow your business, build your reputation and support CiviCRM. Become a partner today

Owen

  • I post occasionally
  • **
  • Posts: 83
  • Karma: 2
    • Leukaemia & Lymphoma Research
  • CiviCRM version: 4.3.4
  • CMS version: Drupal 7
  • MySQL version: -
  • PHP version: -
Re: Custom field ACLs in CiviReport
June 19, 2012, 06:02:05 am
We've run up against this too, and are still without a proper solution.

How much work would building in ACLs for CiviReport be?

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Custom field ACLs in CiviReport
June 19, 2012, 07:12:10 am

i suspect adding custom data acl's to report is  10-20 hour or so project.

i think the change is fairly minimal, we'll need to figure out the best place to do so to make the changes in most reports relatively easy

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Heather O.

  • I’m new here
  • *
  • Posts: 21
  • Karma: 0
  • CiviCRM version: 4.x.x
  • CMS version: Drupal 6 & 7
  • MySQL version: 5
  • PHP version: 5
Re: Custom field ACLs in CiviReport
July 31, 2012, 05:16:41 am
Hi there,

We've just come across the same issue which they'd really like to resolved so we'd be willing to chip in to get this working. Anyone else?

Lobo - what do you think the cost would be?

Thanks,

Heather

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Custom field ACLs in CiviReport
July 31, 2012, 07:35:52 am

If we stick to the 20 hours for the project, its approx a 2K USD project

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Parvez

  • I post occasionally
  • **
  • Posts: 91
  • Karma: 7
Re: Custom field ACLs in CiviReport
November 30, 2012, 03:16:59 am
Hey Lobo

If you could propose the amendment to allow Custom Data to work with ACL's, we'd be happy to take this work on.

Thanks

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Custom field ACLs in CiviReport
November 30, 2012, 03:46:42 am

parvez:

not sure i understand what you mean by "propose the amendment"

can u clarify. We've not heard back from heather o on this topic either

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Parvez

  • I post occasionally
  • **
  • Posts: 91
  • Karma: 7
Re: Custom field ACLs in CiviReport
December 06, 2012, 02:14:59 am
Hey Lobo

Sorry - wasn't clear.

I meant how we should go about implementing the fix i.e. what we need to amend in the code base.

We're happy to do it.

Thanks

Parvez

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Custom field ACLs in CiviReport
December 06, 2012, 09:46:44 am

parvez:

ping me on irc and we can chat and discuss this. I'll need to take a look at the code and see what / where it does the custom data retrieval etc

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Parvez

  • I post occasionally
  • **
  • Posts: 91
  • Karma: 7
Re: Custom field ACLs in CiviReport
February 24, 2013, 01:29:43 am
Hi All

Thanks to funding from Leukaemia & Lymphoma Research, a patch is available for this improvement.

http://issues.civicrm.org/jira/browse/CRM-11962

Thanks

Parvez
www.vedaconsulting.co.uk

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Re: Custom field ACLs in CiviReport
October 04, 2013, 09:53:51 am
Hi Parvez / all,

I've found a problem with this in 4.3.5: users with 'access all custom data' permission are only permitted to see (in reports) custom groups that they have been granted access to via Civi ACLs, whereas they should be able to see all custom groups regardless of ACLs.

The attached patch against 4.3.5 seems to resolve this. Testing as...
- A user with 'access all custom data' permission: it allows access to all custom groups.
- A user without 'access all custom data' permission but with ACL access to some custom groups: it allows access only to the ACL-permitted custom groups.
- A user without 'access all custom data' permission and with no ACL access to custom groups: it allows access to no custom groups.

Cheers,

Dave

Parvez

  • I post occasionally
  • **
  • Posts: 91
  • Karma: 7
Re: Custom field ACLs in CiviReport
October 04, 2013, 01:46:04 pm
Thanks Dave

The original patch was applied to core, have you JIRA'd this issue or shall I?

davej

  • Ask me questions
  • ****
  • Posts: 404
  • Karma: 21
Re: Custom field ACLs in CiviReport
October 07, 2013, 04:33:08 am
Hi Parvez,

I wasn't sure if it was better to use the existing JIRA issue or file a new one, what d'you think?

A bit more detail on the issue - there are actually 4 cases:

1. A user with 'access all custom data' permission and with ACL access to some custom groups: should allow access to all custom groups.
2. A user with 'access all custom data' permission but no ACL access to custom groups: should allow access to all custom groups.
3. A user without 'access all custom data' permission but with ACL access to some custom groups: should allow access only to the ACL-permitted custom groups.
4. A user without 'access all custom data' permission and with no ACL access to custom groups: should allow access to no custom groups.

It's case (1) where the existing code fails.

Cheers,

Dave

Parvez

  • I post occasionally
  • **
  • Posts: 91
  • Karma: 7
Re: Custom field ACLs in CiviReport
October 07, 2013, 04:44:56 am
Thanks for the detail. I think it should be a new issue as the old one is effectively in core and this is a bug.

Not sure if the bug applied to earlier versions of CiviCRM?
Pages: [1] 2
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviReport (Moderator: Dave Greenberg) »
  • Custom field ACLs in CiviReport

This forum was archived on 2017-11-26.