Activities: Not able to see activity if created by contact you don't have access to
Overview
We restrict access to contacts using Group Memberships and ACLs. Specific users are only able to see members of specific groups. We have discovered that users are not able to view an activity unless they have access to both the contact and the creator of the activity (which may be in a group they don't have access to).
Reproduction steps
- Sally and Glenn are members of "Group ABC" group.
- Bob is a member of "Group XYZ" group.
- A group "Access Group ABC" exists with ACL permissions to "Group ABC".
- James is a Member of "Access Group ABC".
- James can see contact record for Sally and Glenn.
- If Glenn creates an activity on Sally's profile, James can view the activity without issue.
- If Bob creates an activity on Sally's profile, James can see the activity in the list but cannot view it.
Current behaviour
You need to have access to both the contact and the creator of the activity in order to view an Activity.
Expected behaviour
If you have access to the contact (and all other permissions are correct), you should have access to the activity.
Environment information
- Browser: Chrome Version 100.0.4896.127
- CiviCRM: 5.48.1
- PHP: 7.4.28 (Supports 64bit values)
- CMS: WordPress 5.9.3
- Database: 10.2.43-MariaDB
- Web Server: Apache
Comments
This assumes that all other permissions (such as WordPress role permissions) are configured correctly. CiviCRM seems to be checking for access to both the creator of an activity as well as the contact it's assigned to to determine if you can view the contents of the activity. You are able to see the activity listed in the Activities tab without issue.