CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • ACL trouble. Please Help.
Pages: [1]

Author Topic: ACL trouble. Please Help.  (Read 2384 times)

axlroach

  • I’m new here
  • *
  • Posts: 22
  • Karma: 0
ACL trouble. Please Help.
June 18, 2009, 07:56:21 am
Hi All,

I'm having problems with access control...

I've set up smart groups like:

Permissions:  Admins
Permissions:  Data Entry
etc...

Next, I created roles such as:
Add New Constituent
Add New Legislator
etc...

Next I created ACLs making it possible for:
The 'Add New Constituent' role to VIEW (and EDIT) the New Constituent Organization, Household and Individual Profile data

Lastly I tied everything together by:
Assigning the smart groups: Admins, Team Expert, Team Organizer, Data Entry and Fundraisers to the Add New Constituent Role.

Once all this was set up, I expected -- while masquerading as our test user (testperm) -- to not be able to link to the New Individual, New Household or New Organization entry forms, because testperm does not belong to either Admins, Team Expert, Team Organizer, Data Entry nor the Fundraisers group.  However, testperm can still link to those forms without any problem.

My question is, what have I overlooked.  Why are the ACL access rules not being followed?  If anyone has an answer or an idea that would be great!

Thanks so much!
aj

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL trouble. Please Help.
June 18, 2009, 08:21:11 am

1. i would login as testperm via another browser rather than using masquerade (since i've not used it and not sure if it works with civicrm)

2. the new indiv/h/o links ae controlled via the administer civicrm permissions. seems like testperm has those permissions

3. seems like you've set acl permissions on profiles and not on a contact group

might be better if you describe what you are trying to accomplish and how you are planning to set it up

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

axlroach

  • I’m new here
  • *
  • Posts: 22
  • Karma: 0
Re: ACL trouble. Please Help.
June 18, 2009, 11:24:54 am
Hi Lobo,

I've tried logging in via another browser as testperm.  It's still the same result. 

What I have is a custom block module that has links for creating the following profiles:

Constituent
Legislator

What I want to happen is for that page (the profile creation form) to show 'access denied' when those links are clicked by a user who does not have creds to create (view or edit) a profile.

For example I would like users who are Team Organizers to be able to create Constituent contacts.

I went through these steps:
1 - Created a group called 'Team Organizers'
2 - Added some contacts to that group.
3 - Created an ACL Role called 'Add New Constituent'
4 - Created an ACL which allows the view (and edit I believe, because they are both the same for profiles if I understand correctly) operation on the 'New Constituent Individual' profile for the 'Add New Constituent' role.
5 - Assigned the 'Add New Constituent' role to the users in the 'Team Organizers' group.

Afterwards, I logged in as testperms -- who is NOT in the 'Team Organizers' group.  When I click on the link to take me to the form to create a new constituent profile I shouldn't be able to see that page, but I can see and save the form with no problems. 

Any idea what I may have missed here?

thanks!
aj

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL trouble. Please Help.
June 18, 2009, 12:04:46 pm

can you check who has the drupal permission to "access all profile listings and forms". Does auth user / anon user have that permisison? make sure that testperms does not have a role that hs this permission. this permission overrides all ACL's

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Re: ACL trouble. Please Help.
June 18, 2009, 02:27:02 pm
Quote
What I have is a custom block module that has links for creating the following profiles:
Constituent
Legislator

Can we check there isn't some drupal/civi language looseness here.

In civicrm you wont have a link to 'create' a profile. Are you talking civicrm profiles or drupal profiles?
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate

axlroach

  • I’m new here
  • *
  • Posts: 22
  • Karma: 0
Re: ACL trouble. Please Help.
June 19, 2009, 10:06:37 am
I'm talking about civicrm profiles.  We have a constituent profile and there is a custom block that has a link to create a constituent using the profile form.

Lobo:  I did in fact have the 'all profiles and listings' perm checked for auth users as well as the 'access all custom data' perm.  I unticked both of those and flushed all the caches.  Still, testperm is able to get to civicrm/profile/create?&gid=7&reset=1, which is the link to the constituent profile form.

Any other ideas?  I'm fresh out...

thanks,
aj

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL trouble. Please Help.
June 19, 2009, 12:49:40 pm

can u get on IRC. We'll need ssh access to the machine.

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: ACL trouble. Please Help.
June 19, 2009, 01:55:37 pm
I don't think this is unique to AJ. If I understand correctly he is saying he can still get to a CREATE PROFILE page even when he doesn't appear to have permission to.

I am seeing the same thing on my site. CREATE, SEARCH and EVENT registration profiles are visible to users who I don't think should have permissions.

http://classes.org.nz/index.php?q=civicrm/event/register&id=103&reset=1

Anonymous user does not have permission to 'PROFILE LISTINGS AND FORMS'

NB - I think this is the same thing I was querying wrt search profiles but didn't realise it affected all profiles.

« Last Edit: June 19, 2009, 02:00:20 pm by Eileen »
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL trouble. Please Help.
June 19, 2009, 09:30:00 pm

the transaction pages (event/contribution/membership) display the profiles that they have irrespective of permissions. This can be construed as a bug or a feature, but is definitely inconsistent behavior. Its a side effect of profiles having multiple uses and too many options :(

i'm pretty sure profile  create/edit does match against permissions. if you think this is not true, please reproduce on a local machine and give us ssh access (cant do this on demo, since u'll probably need to disallow anon access to profiles by default)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: ACL trouble. Please Help.
June 19, 2009, 10:09:02 pm
will e-mail you details
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

axlroach

  • I’m new here
  • *
  • Posts: 22
  • Karma: 0
Re: ACL trouble. Please Help.
June 22, 2009, 08:02:39 am
Eileen wrote:
Quote
I don't think this is unique to AJ. If I understand correctly he is saying he can still get to a CREATE PROFILE page even when he doesn't appear to have permission to.

Hi Eileen,

Yes!  This is exactly what I'm saying.  Sorry if I was being unclear.  Have there been any new developments regarding this problem?  Was anyone else able to reproduce profile creation not matching against permissions? 

Thanks,
aj

fen

  • I post frequently
  • ***
  • Posts: 216
  • Karma: 13
    • CivicActions
  • CiviCRM version: 3.3-4.3
  • CMS version: Drupal 6/7
  • MySQL version: 5.1/5.5
  • PHP version: 5.3/5.4
Re: ACL trouble. Please Help.
June 22, 2009, 12:39:34 pm
dlobo - I can get you access to AJ's site, too...  please ping me

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: ACL trouble. Please Help.
June 22, 2009, 01:24:12 pm
Hi,

Lobo pointed out to me that it was because I had set in the administer civiCRM Access Control

Everyone   Edit   Profile   All Profiles   Edit All Profiles    Yes

and that was allowing people access to the profiles even when the drupal permissions weren't

I have removed that permission. The profile set to be used for 'Profile' still appears to be available to anonymous users in both it's create and it's search incarnation.

http://classes.org.nz/civicrm/profile/create?reset=1&gid=6

However, those set to 'search' are no longer available to anonymous users.

I think this is how it's supposed to work?



Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL trouble. Please Help.
June 22, 2009, 02:29:12 pm

i'll log in next week and check. i did the same thing on my local machine and it worked as expected. in the meantime, can you

truncate civicrm_cache;
truncate civicrm_acl_cache;

in your civicrm db, just to ensure that the caches are truncated

thanx

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: ACL trouble. Please Help.
June 26, 2009, 01:42:29 am
Hi,

For the sake of my site I'm happy just to try upgrading to a later version - that site is on 2.2.0 at the moment. But I'll leave it for now if you feel there is value in investigating. Might be good to hear if AJ is still having problems.

I don't see a change from truncating. Some users have been having a couple of profile errors that don't seem right since we've been looking at this so I truncated sessions as well and am hoping they will tell me that those errors have gone now
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • ACL trouble. Please Help.

This forum was archived on 2017-11-26.