Confusing note regarding ACLs for events
Overview
When managing ACLs for Events, users are presented with the following note:
NOTE: For Event ACLs, the 'View' operation allows access to the event information screen. "Edit" allows users to register for the event if online registration is enabled. Please remember that Drupal's "register for events" permission overrides CiviCRM's control over event information access.
I find this wording highly confusing for several reasons.
Current behaviour
- Reading
event information screen
I thought only page visits of/civicrm/event/info
are affected, when in fact, this also concerns the events I see in the backend's event dashboard at/civicrm/event
. I think I would have correctly guessed what the View permission does without this note. - Reading
"Edit" allows users to register for the event if online registration is enabled.
...- I thought this has nothing to do with configuring events in the backend, when in fact, this is just exactly that. Again, I find this note more confusing than helpful.
- I am additionally confused as a user of the Webform CiviCRM Integration because my participants never use CiviCRM's online registration feature. So I am asking myself “Does this cover my use case as well?” and “Who actually needs the permission to edit in my case?”
- If I allow anonymous users to access all events on Drupal's permission page and also grant Edit permissions via CiviCRM's ACLs, then those users granted edit rights do not have the right to View other events anymore. The UI does not inform me about this behaviour.
- Reading
View
andEdit
I wonder whether the latter includes the former. Would make sense, but I don't know from the UI.
Proposed behaviour
- Maybe this should read
[...] allows access to the event's information.
- (see the suggestions below)
- Maybe add a clause that the Edit permission also allows configuring the event in the backend. But isn't this even more confusing then, because the Edit permission allows event configuration and event registration (two rights that most would think are different)?
- Maybe add an explanation for those who register their participants through Drupal's Webform module.
- Maybe add a clause that explains that once any of the View or Edit permissions is given through the ACLs, Drupal's CiviEvent permissions view event info is overriden, even granted for anonymous users (at least that's how I understand it).
- Maybe add a clause that Edit includes the right to View (if this is the case),
Comments
I am using CiviCRM 5.31 on Drupal 8