Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend contribute search url parsing to advanced search #14939

Merged
merged 1 commit into from Jul 31, 2019

Conversation

@eileenmcnaughton
Copy link
Contributor

commented Jul 31, 2019

Overview

Makes url search params that work in contribution search work in advanced search

Before

Params have no effect if passed in the url

After

Screen Shot 2019-07-31 at 9 46 09 PM

Technical Details

@monishdeb this was where my train of thought was going when I drifted off in my other code comments - I was digging in the contribution search & seeing why it worked there & this seems like a more generic version of that. At this stage only the contribution metadata is added so only those fields work. I think the loadMetadata() function could load all entities - but I think this needs some permissions testing (which I haven't done yet) before extending.

However, once done it would just be a case of adding

$this->addSearchFieldMetadata(['Activity' => CRM_Activity_BAO_Activity::getActivitySearchFieldMetadata()]);

And then activity_date_time_high etc should also work

Comments

@civibot

This comment has been minimized.

Copy link

commented Jul 31, 2019

(Standard links)

@civibot civibot bot added the master label Jul 31, 2019

@@ -414,8 +414,6 @@ public function fixFormValues() {
if (!$this->_force) {
return;
}
// Start by loading url defaults.
$this->_formValues = $this->setDefaultValues();

This comment has been minimized.

Copy link
@eileenmcnaughton

eileenmcnaughton Jul 31, 2019

Author Contributor

moved into setFormValues

protected function loadMetadata() {
// @todo - check what happens if the person does not have 'access civicontribute' - make sure they
// can't by pass acls by passing search criteria in the url.
$this->addSearchFieldMetadata(['Contribution' => CRM_Contribute_BAO_Query::getSearchFieldMetadata()]);

This comment has been minimized.

Copy link
@monishdeb

monishdeb Jul 31, 2019

Member

@eileenmcnaughton are we missing ContributionSoft entity here?

This comment has been minimized.

Copy link
@eileenmcnaughton

eileenmcnaughton Jul 31, 2019

Author Contributor

well yes & no - yes in that it probably should be there in the end - but no in the sense that no ContributionSoft fields have been converted to metadata as yet

This comment has been minimized.

Copy link
@monishdeb
@monishdeb

This comment has been minimized.

Copy link
Member

commented Jul 31, 2019

Agree with this patch. Tested on local, working fine.

@eileenmcnaughton

This comment has been minimized.

Copy link
Contributor Author

commented Jul 31, 2019

@monishdeb did you test whether there is any security bypass implications?

(Hopefully the BAO manages it but...)

@monishdeb

This comment has been minimized.

Copy link
Member

commented Jul 31, 2019

@eileenmcnaughton yes I did. The CRM_Utils_Request::retrieveValue($fieldName, $this->getValidationTypeForField($entity, $fieldName)in getEntityDefaults() ensure that the url values are validated and fetched as per data type. Apart from that there aren't any other security implications.

@eileenmcnaughton

This comment has been minimized.

Copy link
Contributor Author

commented Jul 31, 2019

@monishdeb Ok - I was worried that we would have a scenario whereby the contribution panel would be suppressed due to the contact not having 'access CiviContribute' but they could still pass a contribute criteria in the url & thus learn information about contributions they don't have

@monishdeb monishdeb merged commit 7cf2668 into civicrm:master Jul 31, 2019

1 check passed

default Build finished.
Details

@eileenmcnaughton eileenmcnaughton deleted the eileenmcnaughton:cont branch Jul 31, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.