projects / civicrm-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6977ced) | patch
Add new Super-duper-no-permissions-apply permission
authoreileen <emcnaughton@wikimedia.org>
Sat, 13 Mar 2021 02:31:48 +0000 (15:31 +1300)
committereileen <emcnaughton@wikimedia.org>
Mon, 22 Mar 2021 22:59:18 +0000 (11:59 +1300)
commitea54c6e527ebb2c44b2dea2817df1e6a79dd10d9
treefaa120addfcb55c67809c546e66475baefae1757tree | snapshot (zip tar.gz)
parent6977cedf584cd437a4f68e7a3266efd777d2beafcommit | diff
 Add new Super-duper-no-permissions-apply permission

We discussed in the context of search kit that there are 2 competing concepts of
'administer CiviCRM'
1) like drupal user 1, can do anything
2) role that has various administrative access but acls etc still apply

In search kit we have an interest in allowing users who won't do dumb things
  the ability to expose data to people who otherwise would not have access to that data
   - e.g to create a listing of event participants to expose to anonymous users.

This effectively means we are giving people the power to create displays
that set check_permissions to FALSE. This would potentially enable people
to not just bypass ACLs applied to others but also acls applied to them.
In order words it could be a privellege escallation.

To prevent any unexpected escallation we decided that this ability
should only be given to contacts who explicitly have access to everything
anyway. There is no existing permission that does this (although
there is a perception that there is)
CRM/Core/Permission.php diff | blob | blame | history
CRM/Core/Permission/Base.php diff | blob | blame | history
CRM/Core/Permission/Drupal6.php diff | blob | blame | history
CRM/Utils/Hook.php diff | blob | blame | history
tests/phpunit/CRM/Core/Permission/BaseTest.php diff | blob | blame | history