Edge-case - the system breaks for domains with no Groups
This is a very edgey edge case, which took us a little while to get to the bottom of...
When an administration with civi domain permissions tries to save one of their contacts on a domain with no other groups, they lose access to the contact after saving, and the contact loses all its groups (regardless of domain).
Steps to recreate:
- Set up a new multisite domain
- Ensure the domain has an associated organization, and a group to manage the ACLs.
- There should be one row for the domain in the civicrm_group_organization table, linking the org to the access group
- Assign some contacts to the domain access group
- There should be no other groups set up for the domain, so a domain editor sees no groups in the 'manage groups' list
- As a domain editor, without full CiviCRM permissions, view one of your contacts
- Note that 'Groups: 0' is displayed - this is expected, the domain access group is hidden by default
- Click 'Edit' to edit the contact
- Note that the 'Groups' dropdown is hidden/missing (this must be a recent usability change in core!) - because there are no groups visible to the admin to add them to
- Save changes
- The admin loses access to the contact 'Sorry but you don't have permission to view this contact'
- Because saving the record removes ALL groups from the contact - regardless of what domain they're on
- As a super admin, view the contact - no groups!
Workaround:
- Ensure that any multisite domain has at least one group, even if it's empty
- Provided the 'Groups' dropdown is present on the edit form, the contact's existing groups will be preserved (regardless of the domain of the groups), when the record is saved.