Author Topic: Activities and ACLs (Read 703 times)

jake.mw · May 13, 2012, 09:24:44 pm

I have been uncovering some odd behaviour when working with Activities on an install where ACLs are enabled.

As I understand it, for generic Activities (not contribution, cases, etc.), if a user does not have "view all contacts" and "view all activities" permissions, the following rule is used to determine whether a user can view an activity:
A user can view an activity only if they have ACL permissions to see each of the source, target, and assignee contacts

This general behaviour seems to be enforced on individual view/edit pages, but lists are behaving differently. Specifically:

1. Activities I do not have permission to see are included on the contact's "Activities" tab. It's only when I click the "View" or "Edit" links for the activity that I get an error, "You do not have permission to view this page".

2. Activities I do not have permission to see are included in the "Find Activities" search results. As above, it's only when I click the "View" or "Edit" links that I get an error, "You do not have permission to view this page".

3. Activities I do not have permission to see are included in Exports from the Find Activities tab. I can include any fields I want in an export file, exposing Activity details even when the activity should not have been visible at all.

Is this behaviour intentional? It's hard to believe that nobody else has stumbled upon it. Nevertheless, I would be happy to work out some patches to fix it if someone can confirm that I haven't misunderstood something here.

There is a fourth issue when working with Activities and ACL's: the dashboard (and eventually the server) hangs if it includes a widget based on the Activities report. I've posted on that issue here:
http://forum.civicrm.org/index.php?topic=20159.0

Donald Lobo · May 14, 2012, 09:01:02 am

hey jake:

activities are a bit different from the other civi objects primarily because of the multiple contacts linked to it.

In general, i do think that the ACL feature is used by a much smaller fraction of the civi user base and hence has still a few, "wow, i cant believe no one has stumbled across this bug as yet"

I do think (and eileen has semi-verified this with some tests), that the current DB model to store activities, while nice and elegant is quite problematic with performance. This is primarily due to the fact that the contact ids are stored in 3 tables (civicrm_activity, _assignment and _target). A better model might be to migrate this to one new table with a "table_type" field as part of that table (which will kill the 2 extra left joins needed and hence boost performance)

I do suspect the above change will make fixing the ACLs a lot easier.

The primary reason the above was not done earlier was the absence of a smarter queuing upgrade procedure. However thanx to some great work by tim otten, 4.2 will have a queueing upgrade script and hence the change should be possible in 4.3

Wanna take this on? would be super awesome and we can help u get going

lobo

CiviCRM Community Forums (archive)

News:

Author Topic: Activities and ACLs (Read 703 times)

jake.mw

Activities and ACLs

Donald Lobo

Re: Activities and ACLs