i like the 'pending' idea but presumably would also need an admin override
eg someone signs up - does not authenticate, but then turns up at a meeting and hence needs marking off as a Participant
and for that reason am not keen on the 'delete' suggestion unless it can confirm that no other data has been added to that record in the meantime.
i suspect both routes are tricky
I see Contact Types is available for automated discounts - does this not apply for sub contact types.
If not - can we propose and offer a patch to add this - or are we better to just use the API option?
Updating to refine the above to say this is an issue in Find Activities so not SK specific.
changed some Labels too. Not sure i can see any specifically to do with ACL, I could add sig: security improvement but don't want to set any alarms blaring.
Steps to replicate
Add a user A without 'view all contacts' permissions
Make an ACL group with the user A in it
Add some other contacts B to be the folk that the user should be able to access
Add some Activities that B are associated with, and ensure that other contacts C are also associated with the Activity.
As A do a Find Activities. They should see all Activities that B is associated with but they will also see them names of all other Contacts (C) on those Activities whom their ACL should imo prevent them from seeing.
(Will remove the 'needs steps to replicate' on basis that i think the above suffices)
Since this is not an SK issue but a core civicrm issue - namely that Find Activities displays the names of all contacts on Activities where a user may only have ACL access to one of them, should I just retitle this ticket, or close and open another. I don't want this to get lost as it still seems like a security weakness
petednz (2ad8a814) at 06 Feb 01:11
And this is an Activity based SK, not Contact based, in case that is a factor on 5.70.alpha1
On a new site we are building i set up an ACL and tested with a user via a SearchKit
and this user only has permission to see ACL Test Target, but if they click on Peter Davis they get a 'you do not have permission' - and that is why i think the SK search is also showing 'contact name' of contacts whom they do not have permission to see
I hope I can convey this clearly. Jitendra reckons there is a factor I wasn't considering, namely that if as a restricted user I do a search for Find Activities (or Search Kit), then I see all Activities which have an Assignee or Creator or Target that the user has access to see - fair enough - but I also see the Names (clickable) of all Contacts referred to in the Activity - even if the user does not have permission to see them as 'Contacts'. If i click through to any of those whom I do not have permission to see, then I get "Error: You do not have the necessary permission to view this contact."
I don't know if this is a 'breach' of information but it feels wrong to me as they see Names of contacts who they should be prevented from seeing.
Jitendra says
The point of code isn't changed from last 5 years - https://github.com/civicrm/civicrm-core/blame/master/CRM/Activity/BAO/Activity.php#L827 so i believe this has been like this from a long time.
To fix, there's a hook available to fix the ACL clause https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_selectWhereClause/ which can be used to adjust to our usecase, ie, it will only consider target contacts for permission
I will have him work on that on Monday unless there are other things to consider.
ok. so we now have the individual activities created as expected - and I will get Jitendra to try and glean some more information about this - hopefully we can get a fix in next few days, otherwise we will need to rebuild the SK with all the 'current user - relationship to school - school relationship to student' bits that i was hoping Permissioned Relationships would save us from :-)
Sorry @colemanw totally missed this. will try and get J to check it this afternoon (site is already on 5.71.alpha1 and still seeing this issue but suspect that your above fix isn't in there (and I tried but got lost finding my way around to see if i can tell which version this commit is included in)
In our case - an Activity should be set up for each Student, but I just went and checked and (blame it on the summer holidays) whoever set up the Activities this week failed to do that, hence all students are on the one Activity. Will report back once they fix that glitch in case it is obfuscating things.
was directing folk to github but should be https://lab.civicrm.org/extensions/civicrmmailer-d8/-/issues
petednz (2ad8a814) at 28 Jan 23:27
Update README.md to link to correct Issues queue
PREVIOUS If logged in/checksum user who has a membership visits a membership page offering that Membership Type they were greeted with "Your XX Membership expires on YY"
CURRENT Replicated on dmaster - no such message is showing
done. I noticed the pay later invoice from an MIH does not include Contribution/Inv ID so hopefully easy for you to reconcile anyway. i think in past some of my 'pay later' via Wise didn't cause the widget on the MIH to change. shrug.
Will chip in if there is an MIH - or contribute some dev/reviewer time
was trying to use API to get the 'next sched date' to see what that has, but looks like NULL perhaps cause I can only get so far with text payment credentials