Activity-based SearchKit results for 'restricted' users (via the Related Permissions Module) are no longer restricting results to only Activities of Contacts the user has access to
https://chat.civicrm.org/civicrm/pl/wj4t3rrh7ir5uyz7t88c7fuj8o
We are using the "Related Permissions Module" https://civicrm.org/extensions/relationship-permissions-acls
Beyond that all we are doing is
- use relationship A to join X (teacher) to Y (school)
- use relationship B to join Y (school) to Z (student)
- give X necessary permissions to see All Activities but not see All Contacts.
This means that in pure civicrm when X logs in they only see their Students and the relevant Activities.
- Add an SK to show My Contacts and confirm that X only sees their Students - PASS
- Add an SK to show My Activities (I can export but it is super simple) and confirm that X only sees Activities where their Students are the Target - FAIL - they now see all Students with specified Activity
This was the query from the above which worked up till last week when we ran a civi upgrade.
SELECT a.id AS id, a.subject AS subject, a.activity_type_id AS activity_type_id:label, Activity_ActivityContact_Contact_01.sort_name AS Activity_ActivityContact_Contact_01.sort_name, Activity_ActivityContact_Contact_01.id AS Activity_ActivityContact_Contact_01.id
FROM civicrm_activity a
INNER JOIN (civicrm_activity_contact Activity_ActivityContact_Contact_01_via_activitycontact INNER JOIN civicrm_contact Activity_ActivityContact_Contact_01 ON (Activity_ActivityContact_Contact_01_via_activitycontact.contact_id = Activity_ActivityContact_Contact_01.id)) ON Activity_ActivityContact_Contact_01_via_activitycontact.record_type_id = "3" AND Activity_ActivityContact_Contact_01_via_activitycontact.activity_id = a.id
LEFT JOIN civicrm_value_attendance_record_15 Attendance_record_1 ON a.id = Attendance_record_1.entity_id
WHERE (a.activity_type_id = "51")
AND (Attendance_record_1.week_commencing_124 BETWEEN "20231203" AND "20231209")
AND (a.is_test = "0")
AND (a.is_deleted = "0")