Inconsistencies on where hook_civicrm_aclGroup is applied
Overview
We have several sites with ACL (dynamic) in place, and we found that using hook_civicrm_aclGroup is not applied in different places where a list of Groups is displayed.
Let say we want restrict a user to be able to access only Groups he/she created.
IMPORTANT: This user has no permissions ['edit all contacts', 'view all contacts']
, which changes the whole logic behind ACLs.
My hook implementation:
function myextension_civicrm_aclGroup($type, $contactID, $tableName, &$allGroups, &$currentGroups) {
if ($tableName == "civicrm_saved_search") {
if ($userID = CRM_Core_Session::getLoggedInContactID()) {
$query = "SELECT `id` FROM civicrm_group WHERE created_id = {$userID}";
$result = CRM_Core_DAO::executeQuery($query);
while ($result->fetch()) {
$currentGroups[$result->id] = $result->id;
}
}
}
}
So, this works, in some places in CiviCRM, and does not work in other places.. basically the inclusion of hook_civicrm_aclGroup
is not consistent when there's a list of groups.
Where this DOES work:
- Search Forms, Group dropdowns options
- Report Forms, Group filter dropdowns options
- Group Page
(all above are based on functionCRM_Core_PseudoConstant::group()
which applies aclGroup constraints)
Where this DOES NOT work:
- New Mailing, Recipients dropdown
- New Mailing, Testing Group dropdown
- New Mailing Test A/B, Recipients dropdown
- APIv3
Group.get
orGroup.getlist
call with or without paramcheck_pernmissions => TRUE
- APIv4
Group.get
call with or withoutcheckPermissions = TRUE
(CiviMailing Forms are based on APIv3 callsGroup.get
andGroup.getlist
)