Fix accessible mailings when users don't have view all contacts permission
CRM_Mailing_BAO_Mailing::mailingACLIDs is responsible for limiting the mailings that are visible to users when they do not have either view or edit all contacts (at the BAO layer at least)
It works by returning a list of Ids of mailings that should be visible.
One of the queries that is used to construct this list looks like this:
SELECT DISTINCT(m.id) AS id
FROM civicrm_mailing m
LEFT JOIN civicrm_mailing_group g ON g.mailing_id = m.id
WHERE ((g.entity_table LIKE 'civicrm_group%'
AND g.entity_id IN (3))
OR (g.entity_table IS NULL
AND g.entity_id IS NULL
AND m.domain_id = 1))
The logic behind the `OR (g.entity_table IS NULL AND g.entity_id IS NULL AND m.domain_id = 1) where clause looks wrong to me.
My assumption is that it is there because if you created a mailing (added lots of content, etc.) but didn't then assign it a group, it would suddenly disappear from view when you went back to look for it because it didn't contain a group that you have access to.
The problem with this condition is that the user also gets to see mailings by other contacts who have similarly not defined any groups yet.
Provided the above assumption is correct, a better condition would be OR m.created_id = $user_id
(where user id is the contact ID of the current logged in user.
@JonGold, I wonder what you think about this given that your issue https://issues.civicrm.org/jira/browse/CRM-16981 was similar in nature. @seamuslee - I'm guessing you might have some thoughts on this as well.
Also related is https://issues.civicrm.org/jira/browse/CRM-18181 (though I have not yet got my head around how :)
Aaalso related, in my experimentation, the Mailing api does not respect these permissions, so people get to see all mailings in the recipients field in the Angular powered new CiviMail UI. Are you experiencing that @JonGold?
I've running the above suggestion with a client at the moment. If we get some consensus on how it should work, I would be happy to Shepard this into core.