Possible bug: authenticated user with ACL Edit Right for a group of contacts can "Record Activity, Tag Contact and Add to Group" on ALL contacts
I have an ACL role that has Edit right over a group of contacts (group A). When I list all my contacts this user is able perform some actions it shouldn't on the other contacts (not in group A). Actions: "Record Activity", "Tag Contact" and "Add to group"
- Create ACL with Edit Permission over a group of contacts (i.e. European Manager has Edit Access over European Contacts)
- Give "View All" permission to authenticated users in CMS
Do not give "View All Contacts" permission to authenticated users in CMS AND create a group "All Contacts", add all contacts to that group and give ACL View permission to authenticated users
(Note: the only other CMS permissions set for this role are "CiviCRM: access CiviCRM backend and API and CiviCRM: access AJAX API).
- List All Contacts
You'll see that this user can perform actions "Record Activity", "Tag Contact" and "Add to Group" on all contacts.
This user should only be allowed these actions (Record activity, etc) on the contacts it has Edit rights over. For the ones it has only View access, it should only be allowed to "View" and "Send Email".
- CiviCRM: 5.33.2
- PHP: 7.4
- CMS: Drupal 7
- Database: MySQL 5.7
I am unsure if this is a bug or just a bad configuration on my part, but the inconsistency brought me to create this issue.
I have found a counter example that further exposes this inconsistency:
- When we don't have "View All Contacts" for authenticated users and we an ACL View Permissions on "All Groups" (instead of an ACL View permission over a group of all contacts) . With this configuration we don't get "Record Activity", "Tag Contact" or "Add to Group" on any of the contacts:
This may actually be the expected result, since my user does not have "Manage Groups" permission.
However, what I would actually like to achieve is:
- All authenticated user can View All contacts
- Users with Edit ACLs can edit specific contacts
- Users with ACL's can Add to groups (and created groups) of contacts ONLY over which they have Edit Permission.
Which seems impossible at the moment.