Author Topic: ACL Question using Drupal (Read 1621 times)

kmitz · June 21, 2008, 11:23:14 am

Hi,

I want to set a role + ACL that would allow a regional manager to edit only his/her contacts in an already existing group.

I am using the standard Drupal authenticated user as a start with only 'Access CiviCRM' checked on the Drupal user permissions page (nothing else in the CiviCRM section).

As Admin in CiviCRM, I have created a 'District Manager - 1' role and a group of Contacts based on a search by street name and added manually to the group. When I log out and log back in as a standard authenticated user, I see only the Contacts in that group (I tried editing them, but I can't). So far, so good.

I logged out and back in as Admin. I changed the ACL from 'view' to 'edit', logged out and back in as a standard authenticated user. Again, I can only see contacts in my group, and I can view and edit info on all tabs - except - when I click the Edit button at the top of the summary page (or the edit link on the page that lists all members of my group), as if to edit a phone number, I get this error message:

"Sorry. A non-recoverable error has occurred. You do not have access to this page"

Curiously enough, I can delete a record in the group, but I just can't edit one.

What am I doing wrong? And by extension, how can I prevent a District Manager from deleting Contacts?

Drupal 5.7 + CiviCRM 2.0.4

kmitz · June 21, 2008, 06:29:34 pm

Hi again,

I found this post:

http://forum.civicrm.org/index.php/topic,587.0.html

It seems to have worked, but I can still delete a contact. It looks like I can add a new one, too, which I would expect after checking the 'Add Contacts' permission in Drupal. Is this the correct behavior? I'd like to have users edit Contacts, but neither delete them nor add them.

Will have a look at profiles...

Thanks, kmitz

Donald Lobo · June 21, 2008, 09:40:47 pm

CiviCRM does not have seperate permissions for delete / add contacts (for now). I suspect we'll add this in a future 2.x version. You might want to consider submitting a patch to do this

lobo

kmitz · June 22, 2008, 08:00:57 am

Thanks Lobo,

I will have a look at it, but I think that's a bit above my pay grade, in this case.

I'm amazed at all that CiviCRM offers. Hats off to the development team.

kmitz

kmitz · June 23, 2008, 10:16:45 am

Hey Lobo,

I found the Smarty template Tabbed.tpl which contained a 'DELETE' button. I made the following hack to hide the DELETE button to anyone but me (yes, I'm drunk with power...haahaaahaahhaha).

Line 19, 'templates/CRM/Contact/Page/View/Tabbed.tpl'

Code: [Select]

{if $permission EQ 'edit'}
        &nbsp; &nbsp; <input type="button" value="{ts}Delete{/ts}" name="contact_delete" onclick="window.location='{crmURL p='civicrm/contact/view/delete' q="reset=1&delete=1&cid=$contactId"}';"/>
{/if}

Change to:

Code: [Select]

{if $permission EQ 'edit' && $smarty.session.ufID == 2}
        &nbsp; &nbsp; <input type="button" value="{ts}Delete{/ts}" name="contact_delete" onclick="window.location='{crmURL p='civicrm/contact/view/delete' q="reset=1&delete=1&cid=$contactId"}';"/>
{/if}

Pretty crude, and not 100% effective (you can still delete if you know the correct URL), but makes it all but impossible for the bulk of the users.

I guess the better bet would be to restrict the delete query to all but ufID == 2, but I have no idea where to find that.

kmitz

kmitz · June 23, 2008, 10:25:34 am

Sorry, that added code should be not

Code: [Select]

{if $permission EQ 'edit' && $smarty.session.ufID == 2}
but this:

Code: [Select]

{if $permission EQ 'edit' && $session->get('ufID') == 2}
Too much power, I guess...

CiviCRM Community Forums (archive)

News: