Search Tasks limited by certain ACLs when they should not be
Sometimes an incomplete list of search tasks are shown to a user whose access is ACL limited.
I think this problem is caused by this line:
https://lab.civicrm.org/dev/core/-/blob/5.56/CRM/ACL/BAO/ACL.php#L503
I think the loop break
s when it shouldn't. I think what's intended is to simply shift that break
up within the if {}
that ends on the line above it.
I think the intention of the code is:
- loop through the DAO results that lists permissions
- if the object_id is empty (typically, zero) then the permission applies to all "objects of that type" by which I think it means groups.
- there's an allowance that this record might be for a different permission type (e.g. View instead of Edit) which we would want to ignore
- if the type does match, then all groups are permissioned and we merge those onto our
$ids
array
However where it fails is if there are, say, 2 rows returned. The first says View all, the 2nd says Edit all, and we're asking about edit permission. Because of the break
where it is, once the first row is looked at and discarded, we break and don't loko at the 2nd row!
Shifting the break
up seems to fix this and seems to me to be probably what was intended.
Because this bug is highly sensitive to a load of stuff, it's likely that this shows up in weird situations and could be hard to reproduce.
If this makes sense to anyone I'll submit a PR.
In case it's helpful, my proposal is
diff --git a/sites/all/modules/civicrm/CRM/ACL/BAO/ACL.php b/sites/all/modules/civicrm/CRM/ACL/BAO/ACL.php
index 58b388b73..3d036a3a3 100644
--- a/CRM/ACL/BAO/ACL.php
+++ b/CRM/ACL/BAO/ACL.php
@@ -499,8 +499,8 @@ ORDER BY a.object_id
foreach ($allGroups as $id => $dontCare) {
$ids[] = $id;
}
+ break;
}
- break;
}
}
return $ids;