CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • Add-Delete-Add to group looses ACL permissions for profile forever
Pages: [1]

Author Topic: Add-Delete-Add to group looses ACL permissions for profile forever  (Read 2033 times)

DanilaD

  • I post occasionally
  • **
  • Posts: 93
  • Karma: 11
Add-Delete-Add to group looses ACL permissions for profile forever
April 04, 2009, 07:54:36 am
Hello.

Today, while testing access rights for a profile and viewing/editing data based on ACL (please see http://forum.civicrm.org/index.php/topic,7415.0.html for details), I've noticed that if a user is added to a Group, that is linked to an ACL role, everything works as it should.

But if I remove user from that group, and later add him back, he does not get the proper permissions back. Removing from a group is a kind of a 'never return' action for ACL. User cannot access profile and edit anything. Luckily I was testing this on a dummy user...

Regards,
Danila

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Add-Delete-Add to group looses ACL permissions for profile forever
April 04, 2009, 09:02:11 am

hey danila:

can you do the following experiment:

1. with acl's working as specified, go ahead and delete the user from the group.

2. ensure that it works

3. go ahead and add the user back to the group

4. ensure that it does not work :(

5. from mysql shell, run: "truncate civicrm_acl_cache;"

6. can u check and see if that fixes the issue? I suspect it will, which means we need to invalidate acl cache when people are added to a group. What urls do you use to add a user to the group? is this via search or via contact view? A quick glance of the code does reveal we clean the cache up

thanx

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

DanilaD

  • I post occasionally
  • **
  • Posts: 93
  • Karma: 11
Re: Add-Delete-Add to group looses ACL permissions for profile forever
April 04, 2009, 05:43:34 pm
Hello, Lobo.

Unfortunatelly it does not.

The records in civicrm_acl_cache appear only after user tries to access the profile page. Always 6 of them appear, all with NULL contact_id and with NULL modified date. Foreign key to ACL is increasing from 2 to 7.

I checked both adding/removing from find contact page, and from contact view page with tabs.

civicrm_acl_cache is empty after I added new contact to the group.

When I use this fresh contact to go to the profile page, civicrm_acl_cache gets much more records, and they all have correct number in contact_id. modified_date is still empty.

So I think problem is not in civicrm_acl_cache.

Regards,
Danila

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Add-Delete-Add to group looses ACL permissions for profile forever
April 04, 2009, 07:54:13 pm

any chance i can get ssh access to your machine since you have this set up?

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

DanilaD

  • I post occasionally
  • **
  • Posts: 93
  • Karma: 11
Re: Add-Delete-Add to group looses ACL permissions for profile forever
April 04, 2009, 08:29:01 pm
Sorry, Lobo, my clients will be unhappy with this...

I have replicated this setup on

http://drupal.demo.civicrm.org/civicrm/profile?reset=1&gid=5

user: TestACL
password: testtest

group: ACL testers
role: ACL tester

The only thing which is different between my setup and setup on drupal.demo.civicrm.org, as it seems to me, is that all authenticated users have access rights 'view all profiles' and 'edit all contacts', so I cannot replicate this bug.

So, could you please keep this rights for a while only for demo account role, and drop them for the authenticated users? Authenticated users need only 'access all custom data' from the civicrm permissions.

Regards,
Danila
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • Add-Delete-Add to group looses ACL permissions for profile forever

This forum was archived on 2017-11-26.