CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Drupal Modules (Moderator: Donald Lobo) »
  • Do Drupal Views not yet inherit ACL restrictions
Pages: [1]

Author Topic: Do Drupal Views not yet inherit ACL restrictions  (Read 1227 times)

petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Do Drupal Views not yet inherit ACL restrictions
July 21, 2012, 10:54:07 pm
Not sure if this is something I forgot was a limitation - or if it was but is now borked

Set up View showing civi data

Set up ACL to restrict user X to see only people in Group X

Test ACL works by 'search all' in civi and see only 290 of 10000 contacts - good

Go to view - see all 10000 contacts. ouch
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: Do Drupal Views not yet inherit ACL restrictions
July 22, 2012, 06:04:06 am
AFAIK, Views queries the CiviCRM DB directly and thus of course bypasses CiviCRM's ACL.
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Do Drupal Views not yet inherit ACL restrictions
July 22, 2012, 03:23:17 pm

But obviously would make a great addition and make the views integration even more powerful.

Seems like would need to be done as an alter query hook or something similar when its a contact view. I think its gets even more complex when its a contribution view

Also not sure if the views integration is aware of either thrashed contacts or dead contacts. Civi handles them with special care :)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

torrance123

  • I post occasionally
  • **
  • Posts: 57
  • Karma: 3
  • CiviCRM version: 4.0
  • CMS version: Drupal 7
  • MySQL version: 5.0.91
  • PHP version: 5.3.3
Re: Do Drupal Views not yet inherit ACL restrictions
July 22, 2012, 03:57:05 pm
I had gone down the same sort of route outlined by Lobo. This is set to work only for when the view is built off the civicrm_contacts table. I expect extending a similar sort of logic to work with other civi tables as the base table would be possible.

I'd be interested to know if there is a cleaner way to include the necessary civicrm classes.

Code: [Select]
function civicrm_views_acl_views_query_alter(&$view, &$query) {
  if ($view->base_table == 'civicrm_contact') {
    // Intialize civicrm and load the required classes to
    // call CRM_Contact_BAO_Contact_Permission::cacheClause().
    civicrm_initialize();
    require_once $GLOBALS['civicrm_root'] . '/CRM/Contact/BAO/Contact/Permission.php';
    require_once $GLOBALS['civicrm_root'] . '/CRM/Core/Permission.php';

    // Construct a subquery that returns a list of contacts that the current
    // user has access.
    list($from_clause, $where_clause) = CRM_Contact_BAO_Contact_Permission::cacheClause('civicrm_contact');
    $subquery = "SELECT civicrm_contact.id FROM {civicrm_contact} as civicrm_contact {$from_clause} WHERE {$where_clause}";

    // Include the subquery as a where clause into the views query.
    $civicrm_contact_alias = $query->ensure_table('civicrm_contact');
    $query->add_where(0, "{$civicrm_contact_alias}.id IN ({$subquery})");
  }
}
« Last Edit: July 22, 2012, 04:00:07 pm by torrance123 »

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Do Drupal Views not yet inherit ACL restrictions
July 22, 2012, 06:38:10 pm

not sure how much u can do with query alter, but within the civi code we use a left join to the acl table of contact ids and add a where clause

older versions of mysql were very inefficient with sub-selects in some cases. not sure if this still true for 5.1/5.5

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

torrance123

  • I post occasionally
  • **
  • Posts: 57
  • Karma: 3
  • CiviCRM version: 4.0
  • CMS version: Drupal 7
  • MySQL version: 5.0.91
  • PHP version: 5.3.3
Re: Do Drupal Views not yet inherit ACL restrictions
July 22, 2012, 08:04:48 pm
Quote
not sure how much u can do with query alter, but within the civi code we use a left join to the acl table of contact ids and add a where clause

Yeah, I was avoiding that because it seemed like a much more difficult thing to do with the views query object. But you're right, it is about one order of magnitude slower, depending on the query used.

So after a little views battling, here is the more efficient approach using an inner join and where clause as opposed to a subquery.

I'd still like to feedback on how best to include civi class files.

Code: [Select]
function civicrm_views_acl_views_data() {
  $data = array();
  $data['civicrm_acl_contact_cache']['table']['join']['civicrm_contact'] = array(
    'field' => 'contact_id',
    'left_field' => 'id',
    'type' => 'INNER',
  );
  return $data;
}

function civicrm_views_acl_views_query_alter(&$view, &$query) {
  if ($view->base_table == 'civicrm_contact') {
    // Intialize civicrm and load the required classes to
    // call CRM_Contact_BAO_Contact_Permission::cacheClause().
    civicrm_initialize();
    require_once $GLOBALS['civicrm_root'] . '/CRM/Contact/BAO/Contact/Permission.php';
    require_once $GLOBALS['civicrm_root'] . '/CRM/Core/Permission.php';

    // Grab the SQL fragments that civicrm uses to decide ACL. But first, grab
    // the alias for the civicrm_contact table as defined in the view's query object.
    $civicrm_contact_alias = $query->ensure_table('civicrm_contact');
    list($from_clause, $where_clause) = CRM_Contact_BAO_Contact_Permission::cacheClause($civicrm_contact_alias);

    // Join on the civicrm acl cache table if the $from_clause isn't empty. We are
    // assuming that if it is not empty, that it defines a join just as we implement.
    if ($from_clause) {
      $civicrm_acl_join_object = views_get_table_join('civicrm_acl_contact_cache', 'civicrm_contact');
      // The table alias 'aclContactCache' is hardcoded in CRM_Contact_BAO_Contact_Permission::cacheClause().
      $query->add_relationship('aclContactCache', $civicrm_acl_join_object, 'civicrm_contact');
    }

    // Attach the where condition to the views query.
    $query->add_where(0, $where_clause);
  }
}
« Last Edit: July 22, 2012, 08:39:23 pm by torrance123 »
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Drupal Modules (Moderator: Donald Lobo) »
  • Do Drupal Views not yet inherit ACL restrictions

This forum was archived on 2017-11-26.