Anonymous user given different permissions depending on CMS
Overview
The initial set of permissions given to the anonymous user appears to be inconsistent across CMSs. I discovered this when trying to update the documentation on permissions in the user guide.
I think it would be better if there were a consistent set of permissions that were set regardless of CMS. This would make it clearer for users when they first install CiviCRM and look at the documentation on permissions.
Current behaviour
The initial permissions for the anonymous user are different depending on which CMS you use.
These are the permissions on a site freshly created via buildkit. These permissions vary if the site is installed in a different way (see discussion below).
| Permission | Drupal 7 | Drupal 8 | WordPress | Backdrop | Joomla |
|---|---|---|---|---|---|
| CiviCRM: access all custom data | Yes | Yes | Yes | Yes | Yes |
| CiviCRM: access uploaded files | Yes | Yes | Yes | Yes | Yes |
| CiviCRM: profile create | Yes | Yes | Yes | Yes | No |
| CiviCRM: profile edit | No | Yes | Yes | No | No |
| CiviCRM: profile view | Yes | Yes | Yes | Yes | No |
| CiviCRM: profile listings and forms | No | No | No | No | Yes |
| CiviEvent: register for events | Yes | Yes | Yes | Yes | Yes |
| CiviEvent: view event info | No | Yes | Yes | No | Yes |
| CiviEvent: view event participants | No | Yes | No | No | Yes |
| CiviContribute: make online contributions | Yes | Yes | Yes | Yes | Yes |
| CiviMail: access CiviMail subscribe/unsubscribe pages | Yes | Yes | Yes | Yes | Yes |
| CiviMail: view public CiviMail content | No | No | Yes | No | No |
| CiviCampaign: sign CiviCRM Petition | No | No | Yes | No | No |
Proposed behaviour
The permissions should be the same regardless of CMS and the way that CiviCRM is installed.
Comments
I guess this probably relates to #1615.
I've tracked down the following files that set permissions for the anonymous user.
WordPress and Joomla seem to be the most consistent in that the permissions are only defined in one place:
Drupal and Backdrop permissions are defined in multiple locations:
- In
install/index.php - In the new
civicrm-setupfiles - In the
civicrm_webtestmodule
Finally CiviCRM's ACL permissions are set here:
Needless to say, each sets a slightly different set of permissions.