CiviCRM Community Forums (archive)

I'm trying to use ACLs to show different profiles (when they visit MyAccount) for a user depending on which group they belong to, but I can't seem to get this to work. Doubtless I'm missing something really basic...

First, I created two groups: member and visitor, each of which is an access control group. Then I created two profiles: member profile, and visitor profile (each is a view/edit user account profile and a profile profile). Then I assigned my users to various groups.

Then I created two ACL Roles (also named member and visitor). For Manage ACLs, I created two ACLs: one for Role member, operation edit, type of data profile, and which data the member profile. Ditto for visitor.

Finally, I assigned Users to Roles, so that ACL role "member" is assigned to group "member" (and ditto for visitor).

Under the Drupal access control (Home->Administer->User Management), the only thing I've enabled is access content (for both anonymous and authenticated users).

Still, whenever I log in as any user (one who belongs only to the member group, one who belongs only to the visitor group, or one who belongs to neither group) and visit My Account, I see both profiles. Am I missing something else? I am using Civicrm 2.0.3 on Drupal 5.7.

1. double check that "access profile listings and forms" is not checked for auth users

It is not. Just so I'm sure we're talking about the same thing, it's on the Home » Administer » User management page, right?

2. can u goto this url: q=civicrm/profile&reset=1&gid=VISITOR_PROFILE_ID as both visitor and member and see if u get an error message / permission denied. also do the same for the MEMBER role
 

That seems to work as I would expect: if I am logged in as the appropriate user, I get to a page where I can search with whatever fields in the profile are searchable. If I am not logged in to the appropriate group, I get an error page saying "The requested Profile (gid=1) is disabled, OR it is not configured to be used for 'Profile' listings in its Settings, or there is no Profile with that ID."

can u get on IRC and gimme access to your server via ssh? if so, i can hop on and take a quick look. If not, please file an issue and we'll investigate and fix in 2.1

lobo

Thanks, but it's a shared hosting site, and no SSH access. However, given some confidence that it is a bug, I spent some time looking for a workaround in the code -- I ended up modifying CRM_Core_BAO_UFGroup::getModuleUFGroup to take a third parameter called skipPermission (default true), added code as in the getFields method with the similar parameter, and changed the calls in civicrm/drupal/civicrm.module to pass false for that value when selecting 'User Account'.

That works for me (at least so far...), but I'm flying pretty blind here, and doubtless there are better ways to do this (in particular, this affects only Drupal, but IIRC, the ACL only works for Drupal anyway). I did run across a comment in CRM/Core/Permission/Drupal.php saying "lets introduce acl in 2.1", so perhaps this is all premature anyway.

I was looking at the fix for issue 3171 for this (which I can't seem to add a comment to); the civicrm.module uses the skipPermission field within only the civicrm_view_data() function. That means it only affects the View profiles; a user who selects edit will still see all the profiles. Is there any reason not to make the same change in the civicrm_categories() function? That means the edit works as expected as well, but perhaps there are other side effects?