ACL restricted users lose access to contacts when editing via search list
Overview
When using ACL restriction for access to contacts, the following problem occurs: After searching contacts and editing a contact via the edit link on the search list, CiviCRM tries to save the group, which is used to handle the ACL access. However, since this user doesn't have the permission to edit the group, the group is automatically removed from the contact when it is saved.
This only happens when the contact is edited using the edit link on the search list, instead editing using the summary page works well.
Reproduction steps
- Create ACL permission (edit group of contacts, resulting in member of group A is allowed to edit contacts in group B only).
- Search all contacts, click on edit-Link of the first contact in search list.
- Change Address, click on SAVE
- Contact is save, but membership in group B is removed, the user cannot view the contact anymore.
Current behaviour
- See above: the ACL-restricted user has no access to the contact anymore.
- When editing via summary screen, everything works fine.
- Strangely, when the user is assigned to another ACL rule, everything works fine.
Expected behaviour
- After editing, the edited contact should stay in group B.
Environment information
- CiviCRM: 5.35.1
- PHP: 7.3
- CMS: 5.7
- Database: MySQL 5.7.7
Comments
I believe, this issue was introduced with the change of ACL's (permission to edit group) recently.