SearchKit+Afform issue with Cases
Search Kit searches for Contacts with Cases will fail if the user does not have "Administer CiviCRM" permission.
The detailed description below is incorrect. In fact the Case Permission extension does not cause the issue, and it affects a vanilla Civi install in the same manner.
Reproduction steps (updated)
This has been tested on Civi 5.43.1:
- Create a clean install of Civi on Drupal 7
- Create a Permission User contact and a Test Client contact
- Enable the CiviCase component, plus Search Kit and Afform extensions
- Add a Case for Test Client
- Create a Search Kit search showing Contacts with optional Contact Cases (if Case is in the Trash = No), WHERE Case Subject is not empty
- Add a Display for the search and create a Search Afform to display it
- Create a Drupal user login for Permission User
- Add CiviCase permissions and other Civi permissions for Permission User
- Confirm that when the admin visits the Search Afform, they see Test Client and their Case subject, but Permission User does not see any results
Original (outdated) issue description
We use hook_civicrm_selectWhereClause to apply granular Case permissions by Case Type. When we create a SearchKit search and an Afform to display it, users who do not have "Administer CiviCRM" permission do not see any results.
I mentioned the issue briefly here: https://chat.civicrm.org/civicrm/pl/cjjf8e6p8bnbfyh83inm5abtay
Reproduction steps (outdated)
- Install this extension on a clean Civi system with test data: https://github.com/AsylumSeekersCentre/au.org.asylumseekerscentre.casepermission
- Check that some Contacts and Cases have been created, and if not, create some
- Create a CMS user with permission to see all Cases, including all granular Case Type permissions (added by the extension), but without "Administer CiviCRM"
- Create a SearchKit search showing Contacts with optional Contact Cases (if Case is in the Trash = No), WHERE Case Subject is not empty -- (or is empty, choose something which shows results for the admin)
- Create an Afform to display the search to users and view the page as an admin, confirming that you see results
- View the page as the user affected by permissions
The user affected by permissions does not see any results. There are no error messages in the Drupal log.
Stepping through the sequence in xdebug, it lands in this AJAX exception handler: https://lab.civicrm.org/dev/core/-/blob/master/CRM/Api4/Page/AJAX.php#L83
At that point, $e->message contains this string:
Invalid field 'Contact_CaseContact_Case_01.subject'
Going back through the sequence of calls before that:
When it gets to this point with $item="Contact_CaseContact_Case_01.subject", the variable "$valid" is FALSE: https://lab.civicrm.org/dev/core/-/blob/master/Civi/Api4/Query/Api4SelectQuery.php#L268
If I try to step over buildWhereClause in xdebug, it jumps to the AJAX exception handler linked above, so it's failing somewhere in this function call:
I haven't gone any further yet to diagnose what is going wrong.
Users should see results consistent with their permissions.
- Browser: Chromium 95.0.4638.69
- CiviCRM: 5.43.0
- PHP: 7.3
- CMS: Drupal 7.82
- Database: 10.3.31-MariaDB, for debian-linux-gnu (x86_64)
- Web Server: Apache 2.4
The situation matches the title of this issue: #2921
However, this one relates to a different hook and will probably require a separate solution.