CiviCase access to activities permission discrepancy
I propose to alter the high level permissions for accessing case activities to always look for 'access my cases and activities' or 'access all cases and activities' (and not administer CiviCase which it inconsistently does at the moment.).
There are 2 main functions affecting CiviCase access from the various activity functions
-
CRM_Case_BAO_Case::accessCiviCase - returns true if user has any one of access my cases and activities access all cases and activities
-
CRM_Activity_BAO_Activity::checkPermission - returns true if user has any one of access my cases and activities access all cases and activities administer CiviCase
In practice this means that with administer CiviCase but not the other perms I can
- access the page to configure case statuses
- not access the page to configure case types
- access the page to configure case settings
- not access the CiviCase dashboard
- access activities attached to cases through the api (or at least get past that check)
- not access activities attached to cases through contact dashboard
My take on all this is that CRM_Activity_BAO_Activity::checkPermission should only look at access my cases and activities & access all cases and activities. It seems likely the administer option was only added because it was there for other components in that bit of code.
I also think the page to configure case types should be accessible with 'administer CiviCase' but that is out of scope for this issue.
My main motivation is to address some performance issues around activity retrieval - but I need to clarify this to fix up the relevant code