Users without batch permissions may create and run batches
Overview
Users without permission to create batches can not only create batches but also validate and run them.
Reproduction steps
- From a default install of CiviCRM in WordPress access the "WordPress Access Control" page
- For a given userclass remove all of the following permissions:
- CiviCRM: create manual batch Create an accounting batch (with Access to CiviContribute and View Own/All Manual Batches)
- CiviCRM: edit own manual batches Edit accounting batches created by user
- CiviCRM: edit all manual batches Edit all accounting batches
- CiviCRM: close own manual batches Close accounting batches created by user (with Access to CiviContribute)
- CiviCRM: close all manual batches Close all accounting batches (with Access to CiviContribute)
- CiviCRM: reopen own manual batches Reopen accounting batches created by user (with Access to CiviContribute)
- CiviCRM: reopen all manual batches Reopen all accounting batches (with Access to CiviContribute)
- CiviCRM: view own manual batches View accounting batches created by user (with Access to CiviContribute)
- CiviCRM: view all manual batches View all accounting batches (with Access to CiviContribute)
- CiviCRM: delete own manual batches Delete accounting batches created by user
- CiviCRM: delete all manual batches Delete all accounting batches
- CiviCRM: export own manual batches Export accounting batches created by user
- CiviCRM: export all manual batches Export all accounting batches
- Create a user for that userclass and login
- Click "Batch Data Entry" from the Memberships menu
- Create a batch and press validate.
Current behaviour
The batch will run.
Expected behaviour
If the user has none of the permissions above they should not be able to create, validate or run a batch.
Environment information
- Browser: Chrome Version 114.0.5735.90 (Official Build) (64-bit)
- CiviCRM: 5.52.2
- CMS: WordPress 6.0.5
Comments
The user can also "save for later" but can never access those saved batches again, as they are (quite correctly) prohibited from seeing the list.