CiviCRM Community Forums (archive)

Not sure if this should be on this Board or on Core CiviCRM.

My question is about the best current approach to setting up 'current employee' as autocomplete
There have been various approaches
http://forum.civicrm.org/index.php?topic=14863.0
http://forum.civicrm.org/index.php?topic=20555.0
http://forum.civicrm.org/index.php?topic=21168.0
http://forum.civicrm.org/index.php?topic=23275.0
http://civicrm.org/node/528

and not sure what the best current one is

I am not even sure if the floss manual is uptodate on this

http://en.flossmanuals.net/CiviCRM/DevelopAPI/ (search autocomplete)

For security reasons, the Ajax interface is restricted to users who have access to CiviCRM - otherwise, it would be fairly easy for anyone to download all the contacts you have in your database. So that's the first thing we check for here:

{if $session->get('userID') > 0}

<script type="text/javascript" src="../{$config->resourceBase}js/rest.js"></script>{literal}
<script>
jQuery(document).ready(function($){
  $('#current_employer').crmAutocomplete({params:{contact_type:'Organization'}});
});
</script>
{/literal}

{/if}
You might want to add additional filters. For instance in a profile "new volunteer from a member", you want to populate the list only with the organisations that belong to the group "members" (group id 42).

$('#current_employer').crmAutocomplete({params:{contact_type:'Organization',group:42}});

or the Wiki

http://wiki.civicrm.org/confluence/display/CRMDOC41/API+Security

and i think this patch has been part of the journey in terms of getting the Permissions sorted

http://issues.civicrm.org/jira/browse/CRM-8840

I am not sure if it comes down to a choice of whether to use ajax api or to use a hook off a Contact Reference field

Our goal is to let Anonymous have access to an Autocomplete field that is restricted at least to only Organisations or better still to only a specific Group of Orgs

If we go the route of setting an Autocomplete on 'Current Employer' and try to restrict to a group it seems we have to give the Permission

CiviCRM: access AJAX API

Is that correct?

Which may be giving a higher Permission than we really want - since my user ended up seeing all Contacts in DB, not even limited to ORGs.

My colleague is asking if access to the ajax api can allow someone to make a call to any part of the civicrm api? eg. is a user with ajax api permissions granted full access to all contact records, etc.?

Would be great to get an up to date recipe for this sorted.

Hi Pete, great thread.

I'm pretty sure the code sample above doesn't work anymore as of 3.4.  As I experienced in a recent upgrade of a client who was using 3.3 to 3.4, autocomplete for Current Employer stopped working completely for anonymous users.

This is, because of my understanding from Xav, for security reasons, we could no longer allow anonymous users to access the API.

Our solution was to stop using autocomplete Employer and instead manually audit (and edit) all data entry from public forms into the Employer field, because as you know when you start exposing contact and relationship creation to the public, strange things can happen.

If we are going to expand permissions to make auto-complete usable again for anonymous My suggestion would be these 2 permissions: 
[ ] access Org Names via AJAX API  (or simply call it use Employer Autocomplete, since that is mostly the point)
[ ] access all Contacts via AJAX API

If there is another way to use it via Contact Reference field+hook, that is fine and I am all ears, but I think the REST permissions changes made by Xav will negatively affect this approach right now too.

Hi,

I'm tempted to use it as an example of what can be done with civix (and learn in the process). I'm travelling now, so expect a blog post in a week or so and an extension that does that.

In a nutshell, two ways

1) if the list is short (say < 200 org)
create a select (using the smarty api) that contains the org you want and a bit of jquery to replace the current employee field (with or without an option to get a free form like by default)

2) if you want an autocomplete, a bit more complicated
- you need to create a new api (eg. api.contact.get_public) that forces the filter you want (eg only contact_type = org & contact_sub_type = members & group=public)
- you need to add a permission hook so civicrm ajax api permission can access this new api (only, not the others)
- you need to alter your template.extra to add the bit of jquery magic to add an autocomplete using this new api
- and finally grant the ajax api permission to anonymous

Working on an extension that does that and blog post. First time I use civix, but shouldn't take too long
 

https://github.com/TechToThePeople/publicautocomplete

First stab, you need to apply this patch too http://issues.civicrm.org/jira/secure/attachment/16587/rest.js.diff

Comments welcome, will publish the blog introducing and presenting the easier option (modify by a select, one .extra.tpl only

X+