incorrectly/inadvertently requires "Access all Custom Data" to create or configure an event
Summary:
Users who have permissions to create and configure events, but do not have "Access all Custom Data" permission, receive "Authorization failed" api4 error when attempting to access the "Info and Settings" tab of event configuration.
Specifics:
- CiviCRM permissions "CiviEvent: access CiviEvent" and/or "CiviEvent: edit all events" should be enought to create and/or edit event configuration.
- Permission "CiviCRM: access all custom data" should not be required for such actions.
- Some organizations remove the "CiviCRM: access all custom data" permission for most staff users and make use of ACLs to ensure only certain staff can access certain custom data groups.
- On such sites, where this extension is installed and configured, a user who has "CiviEvent: access CiviEvent" and "CiviEvent: edit all events" and has ACL access to the Zoom custom field group, but does not have "CiviCRM: access all custom data", will not be able to create a new event or access the "Info and Settings" tab of an existing event. Instead they are met with an "Authorization failed" error (which often manifests only as "Network Error: Unable to reach the server. Please refresh this page in your browser and try again.", due quirks in CiviCRM's AJAX-driven interface).
Technical details:
-
This line in
CRM_NcnCiviZoom_Utils::getAccountIdCustomFieldName()
uses api4customField.get
to determine the relevant zoom custom field name. - However, api4 doesn't offer the customField.get action to users without "CiviCRM: access all custom data" (I'm not certain that this permission is the only check here, but some quick testing verifies that this permission will grant access to this api4 action).
- Therefore, any execution path through this method will result in "Authorization failed" for users with the described permissions.
Possible quick fix:
Explicitly skip permission checks on this api4 call, e.g.
diff --git a/CRM/NcnCiviZoom/Utils.php b/CRM/NcnCiviZoom/Utils.php
index 270d80c..c2b0d2b 100644
--- a/CRM/NcnCiviZoom/Utils.php
+++ b/CRM/NcnCiviZoom/Utils.php
@@ -55,7 +55,7 @@ class CRM_NcnCiviZoom_Utils {
if (!$customId) {
return NULL;
}
- $field = \Civi\Api4\CustomField::get(TRUE)
+ $field = \Civi\Api4\CustomField::get(FALSE)
->addSelect('custom_group_id:name', 'name')
->addWhere('id', '=', $customId)
->execute()
(BTW, I'm honestly interested in the side conversation about why such permission-skipping is or is not ill-advised.)
Possibly better fix:
As mentioned in the docblock for this method:
* ... we should really just upgrade the settings to store the api4 name
* instead of the CustomField ID.
(Joinery reference: F#1332}
Edited by AllenShaw