CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviMail (Moderator: Piotr Szotkowski) »
  • View only mailings sent by logged in user
Pages: [1]

Author Topic: View only mailings sent by logged in user  (Read 985 times)

bpmccain

  • I post frequently
  • ***
  • Posts: 255
  • Karma: 5
  • CiviCRM version: 4.1
  • CMS version: Drupal 7.12
  • MySQL version: 5.2
  • PHP version: 5.2
View only mailings sent by logged in user
November 08, 2012, 04:49:48 pm
I want to be able to limit the mailings visible to a logged in user to just those that the logged in user actually sent - not all mailings from the CRM system.

I have ACL rules in place which prevents them from seeing contacts that mailings were sent to that they don't have permission to see, but I would also like to prevent them from seeing the actual mailing itself.

It doesn't seem at first glance as though either of the ACL hooks will help me achieve that.

Any thoughts?

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: View only mailings sent by logged in user
November 08, 2012, 05:17:58 pm

unfortunately acls do not cover the mailing object. They are covered indirectly via groups

i.e. a user can see all the mailings where the user has access to any of the groups that the mailing went to.

this might potentially work with your group hook that u described in another post :)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

bpmccain

  • I post frequently
  • ***
  • Posts: 255
  • Karma: 5
  • CiviCRM version: 4.1
  • CMS version: Drupal 7.12
  • MySQL version: 5.2
  • PHP version: 5.2
Re: View only mailings sent by logged in user
November 08, 2012, 05:40:35 pm
And if the mailing was search based?

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: View only mailings sent by logged in user
November 08, 2012, 07:09:27 pm

not sure, but if i had to guess, only folks with the permission "view all contacts" will be able to see search based mailings

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

bpmccain

  • I post frequently
  • ***
  • Posts: 255
  • Karma: 5
  • CiviCRM version: 4.1
  • CMS version: Drupal 7.12
  • MySQL version: 5.2
  • PHP version: 5.2
Re: View only mailings sent by logged in user
November 09, 2012, 05:03:34 am
It appears as though they are viewable to everyone, which creates a bit of a problem. I seem to be able to click on a mailing report and view all of the contacts that the e-mail was sent to, along with their e-mail address even though I don't have permission to view those contacts.

When I click on a contact name, I am told I don't have permission to view this contact.

Is this a bug? Surely, even if I can see the mailing, I should only be able to see the contacts to whom that mailing was sent that I also have permission to see?

Brian

rogical

  • I post occasionally
  • **
  • Posts: 30
  • Karma: 1
  • CiviCRM version: 4.2
  • CMS version: Drupal
  • MySQL version: 5.1
  • PHP version: 5.3
Re: View only mailings sent by logged in user
November 09, 2012, 07:01:32 am
I think this is very important, other contacts will view/change any mailings. Can we just don't show mailings not created by contacts?

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: View only mailings sent by logged in user
November 09, 2012, 07:26:47 am

Mailing could definitely use some ACL and permissioning love. Would be great if the two of you'll can work on it and help improve the permissioning code with regard to CiviMail

Pretty sure mailing reports do not use any acls or permissioning at all.

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

bpmccain

  • I post frequently
  • ***
  • Posts: 255
  • Karma: 5
  • CiviCRM version: 4.1
  • CMS version: Drupal 7.12
  • MySQL version: 5.2
  • PHP version: 5.2
Re: View only mailings sent by logged in user
November 09, 2012, 07:44:33 am
Ok. I will dive into it this weekend.

Would you have any recommended starting points where I should be looking?

Brian

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: View only mailings sent by logged in user
November 09, 2012, 08:52:23 am

at least a 3 part project:

1. I would check the function:  CRM_Mailing_BAO_Mailing::mailingACL* and see what they do / where they are used and if you can tweak that to meet your current needs

2. Add the mailing object to the CiviCRM ACL framework. However i do think our current framework for non-contact objects does not scale if you have a large number of objects (since we return arrays of ids etc). We should definitely move this to a table and switch to using a sql approach (similar to contacts)

3. Incorporate the mailing acl stuff into the mailing code: CRM/Mailing/*

4. Incorporate contact ACL's into mailing reports. This is a bit tricky. Not sure if you want to reduce the reported numbers based on the permissions they have. If a mailing was sent to 100 people, irrespective of your permissions, that number should not change (if u can see the mailing)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

bpmccain

  • I post frequently
  • ***
  • Posts: 255
  • Karma: 5
  • CiviCRM version: 4.1
  • CMS version: Drupal 7.12
  • MySQL version: 5.2
  • PHP version: 5.2
Re: View only mailings sent by logged in user
November 09, 2012, 02:56:32 pm
Ok, so I found out that there isn't a bug. We have one group, that all users can see, that is our global unsubscribe group (for when someone unsubscribes from everything instead of opts-out).

So this group is automatically excluded from all mailings, meaning it is a part of all mailings. And see all logged in users have access to this group, all logged in users have access to all mailings.

Quote
I would check the function:  CRM_Mailing_BAO_Mailing::mailingACL* and see what they do / where they are used and if you can tweak that to meet your current needs

I found that I can easily limit the mailings to only those created by the user by inserting a couple of lines of code in CRM_Mailing_BAO_Mailing::mailingACLIDs instead. Still trying to decide exactly what functionality I want to implement.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: View only mailings sent by logged in user
November 09, 2012, 03:05:09 pm

maybe that code should only consider the included groups and skip the others

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviMail (Moderator: Piotr Szotkowski) »
  • View only mailings sent by logged in user

This forum was archived on 2017-11-26.