Rationalise Activity api ACLs for consistency, to respect the hook & improve performance #13664
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
(Standard links)
|
efd58e4 to
deca550
Compare
We have a lot of inconsistency about how (and if) activity ACLs are applied. Note that permissions only apply when the api is being called with check_permissions = TRUE - e.g from the js layer. This PR changes the logic used for the activity.get api to be consistent with the report logic which a) is the most performant variant b) is the one with the least code complexity c) is more consistent with CiviCase d) allows hooks to modify the permissions applies e) creates consistency between api v3 & v4 f) is consistent with some site user expectations but not others - the presence of all this inconsistency is an indicator not everyone wants the same thing but given that choosing a performant & maintainable option for core seems like a good criteria. After this patch 1) the 'view all activities' permission will no longer by-pass all other ACLs. One could argue that's exactly what it means - but it doesn't do that in the UI which seems like the standard elsewhere. 2) a user will be able to view an activity via the api if they have permission to view ANY contact linked to it (before it was ALL contacts via the api) 3) a user will not see the names of any contacts they do not have permission over when requesting activity contact details in return parameters 4) getcount will no longer by-pass the api 5) performance is improved Places where permissioning applies to activities - activities listing on contact - shows actitivies & related contact names regardless of permission to view the contacts - activity search results -- shows actitivies & related contact names regardless of permission to view the contacts - activity view page - links to view the activity exist on the above 2 screens but will give access denied unless they can see ALL related contacts - activity reports - shows activities if ANY related contacts are permitted, suppresses names of unpermitted contacts Potential follow on steps 1) make the activity tab listing consistent by switching from the unperformant deprecatedGetActivities fn to the performance getActivities fn - there are no remaining blockers to that. 2) align the activity view screen & add in hook call there too 3) align activity search results screen, address performance issues there too....
deca550 to
cdacd6a
Compare
colemanw
reviewed
Feb 26, 2019
| // This just prevents a mysql fail if they have no access - should be extremely edge case. | ||
| $permittedActivityTypeIDs = [0]; | ||
| } | ||
| $clauses['activity_type_id'] = ('IN (' . implode(', ', $permittedActivityTypeIDs) . ')'); |
There was a problem hiding this comment.
This would be more efficient if we skip adding this clause if getPermittedActivityTypes returns the full set of types.
There was a problem hiding this comment.
It's filtered by component
|
Thanks Eileen for doing this deep dive. I don't have any specific comments on the code changes but fully support the goals. |
|
I'm also a +1 on the goals here. Maintaining compatibility with Activity Type ACLs extension is important, but you specifically mentioned hooks altering the permissions so I assume this is fine. I should downgrade "maintaining compatibility" to "comparable compatibility is possible with a new version of the extension". |
|
Just noting that I sent an email to the dev list about this (hence the 2 comments above) |
|
@MegaphoneJon WRT the activityTypeACLS they don't apply in most places at the moment but this
|
|
Merging based on positive feedback and passing tests. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR alters the way permissions are handled on sites that use ACLs when the activity.get api is called with the 'check_permissions' flag set to TRUE. This would usually be the case for js calls
Before
After
After this patch
what it means - but it doesn't do that in the UI which seems like the standard elsewhere.
Technical Details
We have a lot of inconsistency about how (and if) activity ACLs are applied. Note that permissions only apply
when the api is being called with check_permissions = TRUE - e.g from the js layer.
This PR changes the logic used for the activity.get api to be consistent with the report logic
which
a) is the most performant variant
b) is the one with the least code complexity
c) is more consistent with CiviCase
d) allows hooks to modify the permissions applies
e) creates consistency between api v3 & v4
f) is consistent with some site user expectations but not others - the presence of all this inconsistency
is an indicator not everyone wants the same thing but given that choosing a performant &
maintainable option for core seems like a good criteria.
After this patch
what it means - but it doesn't do that in the UI which seems like the standard elsewhere.
Places where permissioning applies to activities
can see ALL related contacts
Potential follow on steps
to the performance getActivities fn - there are no remaining blockers to that.
Comments
I did a more detailed current breakdown over here https://docs.google.com/spreadsheets/d/1JHzYDiyssnGOAIEwnSQof_mrZ-Mh9E-grMnSsuZMQGE/edit#gid=0