Anonymous user given different permissions depending on CMS (#1732) · Issues · Development / Core

Anonymous user given different permissions depending on CMS

Overview

The initial set of permissions given to the anonymous user appears to be inconsistent across CMSs. I discovered this when trying to update the documentation on permissions in the user guide.

I think it would be better if there were a consistent set of permissions that were set regardless of CMS. This would make it clearer for users when they first install CiviCRM and look at the documentation on permissions.

Current behaviour

The initial permissions for the anonymous user are different depending on which CMS you use.

These are the permissions on a site freshly created via buildkit. These permissions vary if the site is installed in a different way (see discussion below).

Permission	Drupal 7	Drupal 8	WordPress	Backdrop	Joomla
CiviCRM: access all custom data	Yes	Yes	Yes	Yes	Yes
CiviCRM: access uploaded files	Yes	Yes	Yes	Yes	Yes
CiviCRM: profile create	Yes	Yes	Yes	Yes	No
CiviCRM: profile edit	No	Yes	Yes	No	No
CiviCRM: profile view	Yes	Yes	Yes	Yes	No
CiviCRM: profile listings and forms	No	No	No	No	Yes
CiviEvent: register for events	Yes	Yes	Yes	Yes	Yes
CiviEvent: view event info	No	Yes	Yes	No	Yes
CiviEvent: view event participants	No	Yes	No	No	Yes
CiviContribute: make online contributions	Yes	Yes	Yes	Yes	Yes
CiviMail: access CiviMail subscribe/unsubscribe pages	Yes	Yes	Yes	Yes	Yes
CiviMail: view public CiviMail content	No	No	Yes	No	No
CiviCampaign: sign CiviCRM Petition	No	No	Yes	No	No

Proposed behaviour

The permissions should be the same regardless of CMS and the way that CiviCRM is installed.

Comments

I guess this probably relates to #1615.

I've tracked down the following files that set permissions for the anonymous user.

WordPress and Joomla seem to be the most consistent in that the permissions are only defined in one place:

Drupal and Backdrop permissions are defined in multiple locations:

In install/index.php
In the new civicrm-setup files
In the civicrm_webtest module
- Drupal 7 and Backdrop

Finally CiviCRM's ACL permissions are set here:

xml/templates/civicrm_acl.tpl

Needless to say, each sets a slightly different set of permissions.

Overview
----------------------------------------
The initial set of permissions given to the anonymous user appears to be inconsistent across CMSs. I discovered this when trying to [update the documentation on permissions](https://github.com/civicrm/civicrm-user-guide/pull/441) in the user guide.

Current behaviour
----------------------------------------
The initial permissions for the anonymous user are different depending on which CMS you use.

These are the permissions on a site freshly created via `buildkit`. These permissions vary if the site is installed in a different way (see discussion below).

Permission | Drupal 7 | Drupal 8 | WordPress | Backdrop | Joomla
-- | -- | -- | -- | -- | --
CiviCRM: access all custom data | Yes | Yes | Yes | Yes | Yes
CiviCRM: access uploaded files | Yes | Yes | Yes | Yes | Yes
CiviCRM: profile create | Yes | Yes | Yes | Yes | **No** 
CiviCRM: profile edit | **No** | Yes | Yes | **No** | **No**
CiviCRM: profile view | Yes | Yes | Yes | Yes | **No** | **No**
CiviCRM: profile listings and forms | **No** | **No** | **No** | **No** | Yes
CiviEvent: register for events | Yes | Yes | Yes | Yes | Yes
CiviEvent: view event info | **No** | Yes | Yes | **No** | Yes
CiviEvent: view event participants | **No** | Yes | **No** | **No** | Yes
CiviContribute: make online contributions | Yes | Yes | Yes | Yes | Yes
CiviMail: access CiviMail subscribe/unsubscribe pages | Yes | Yes | Yes | Yes | Yes
CiviMail: view public CiviMail content | **No** | **No** | Yes | **No** | **No**
CiviCampaign: sign CiviCRM Petition | **No** | **No** | Yes | **No** | **No**

Proposed behaviour
----------------------------------------
The permissions should be the same regardless of CMS and the way that CiviCRM is installed.

Comments
----------------------------------------
I guess this probably relates to #1615.

I've tracked down the following files that set permissions for the anonymous user.

WordPress and Joomla seem to be the most consistent in that the permissions are only defined in one place:

* [WordPress](https://github.com/civicrm/civicrm-wordpress/blob/145e98bb647122e66a6a624ed17f58846319e7e7/includes/civicrm.users.php#L248-L268)
* [Joomla](https://github.com/civicrm/civicrm-joomla/blob/master/script.civicrm.php#L188-L211)

Drupal and Backdrop permissions are defined in multiple locations:

* In `install/index.php`
  * [Drupal 6](https://github.com/civicrm/civicrm-core/blob/master/install/index.php#L1804)
  * [Drupal 7](https://github.com/civicrm/civicrm-core/blob/master/install/index.php#L1839-L1855)
  * [Backdrop](https://github.com/civicrm/civicrm-core/blob/master/install/index.php#L1874-L1886)
* In the new `civicrm-setup` files
  * [Drupal 7](https://github.com/civicrm/civicrm-core/blob/master/setup/plugins/installDatabase/FlushDrupal.civi-setup.php#L26-L42)
  * [Drupal 8](https://github.com/civicrm/civicrm-core/blob/master/setup/plugins/installDatabase/FlushDrupal8.civi-setup.php#L26-L38)
  * [Backdrop](https://github.com/civicrm/civicrm-core/blob/master/setup/plugins/installDatabase/FlushBackdrop.civi-setup.php#L25-L37)
* In the `civicrm_webtest` module
  * [Drupal 7 and Backdrop](https://github.com/civicrm/civicrm-core/blob/master/tools/drupal/modules/civicrm_webtest/civicrm_webtest.install#L14-L22)

Finally CiviCRM's ACL permissions are set here:

* [xml/templates/civicrm_acl.tpl](https://github.com/civicrm/civicrm-core/blob/master/xml/templates/civicrm_acl.tpl)

Needless to say, each sets a slightly different set of permissions.

Edited Apr 27, 2020 by wmortada

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.