Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • CiviCRM Core CiviCRM Core
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,466
    • Issues 1,466
    • List
    • Boards
    • Service Desk
    • Milestones
  • Deployments
    • Deployments
    • Releases
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • Development
  • CiviCRM CoreCiviCRM Core
  • Issues
  • #1732
Closed
Open
Created Apr 24, 2020 by wmortada@wmortada

Anonymous user given different permissions depending on CMS

Overview

The initial set of permissions given to the anonymous user appears to be inconsistent across CMSs. I discovered this when trying to update the documentation on permissions in the user guide.

I think it would be better if there were a consistent set of permissions that were set regardless of CMS. This would make it clearer for users when they first install CiviCRM and look at the documentation on permissions.

Current behaviour

The initial permissions for the anonymous user are different depending on which CMS you use.

These are the permissions on a site freshly created via buildkit. These permissions vary if the site is installed in a different way (see discussion below).

Permission Drupal 7 Drupal 8 WordPress Backdrop Joomla
CiviCRM: access all custom data Yes Yes Yes Yes Yes
CiviCRM: access uploaded files Yes Yes Yes Yes Yes
CiviCRM: profile create Yes Yes Yes Yes No
CiviCRM: profile edit No Yes Yes No No
CiviCRM: profile view Yes Yes Yes Yes No
CiviCRM: profile listings and forms No No No No Yes
CiviEvent: register for events Yes Yes Yes Yes Yes
CiviEvent: view event info No Yes Yes No Yes
CiviEvent: view event participants No Yes No No Yes
CiviContribute: make online contributions Yes Yes Yes Yes Yes
CiviMail: access CiviMail subscribe/unsubscribe pages Yes Yes Yes Yes Yes
CiviMail: view public CiviMail content No No Yes No No
CiviCampaign: sign CiviCRM Petition No No Yes No No

Proposed behaviour

The permissions should be the same regardless of CMS and the way that CiviCRM is installed.

Comments

I guess this probably relates to #1615.

I've tracked down the following files that set permissions for the anonymous user.

WordPress and Joomla seem to be the most consistent in that the permissions are only defined in one place:

  • WordPress
  • Joomla

Drupal and Backdrop permissions are defined in multiple locations:

  • In install/index.php
    • Drupal 6
    • Drupal 7
    • Backdrop
  • In the new civicrm-setup files
    • Drupal 7
    • Drupal 8
    • Backdrop
  • In the civicrm_webtest module
    • Drupal 7 and Backdrop

Finally CiviCRM's ACL permissions are set here:

  • xml/templates/civicrm_acl.tpl

Needless to say, each sets a slightly different set of permissions.

Edited Apr 27, 2020 by wmortada
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking