New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "Add permission metadata to contact is_deleted field" #22203
Conversation
This reverts commit d2ff128. ACLs for accessing deleted contacts are already enforced in the query, so this field was being hidden for UI purposes not ACL purposes. It had the unfortunate side-effect of crashing any API call using `is_deleted` in the WHERE clause for non-permissioned users.
(Standard links)
|
@jmcclelland Are you able to review this? |
@totten - yes, I can review. Can you confirm what commands I need to run after applying the fix? I tried:
But my tests are still failing in the same way as before the fix. I wonder if I'm missing a step? Or if the fix is not working? |
@jmcclelland @colemanw Those steps sound more than sufficient to me... (Since DAOs are committed to git, I would expect a simple |
Yea the cache flush is critical because APIv4 metadata is stored in the cache. |
So then |
Yes - I'm still working on it. I'm somewhat befuddled by the mixture of permissions needed to make it fail in the first place. I plan to have either a report or a semi-intelligent question later today. |
@totten and @colemanw - I figured out my befuddlement. There is a difference in behavior between 5.39 lts and master. WIth 5.39 lts granting or restricting the 'access deleted contacts' permission controls whether or not the error is triggered. In master, as long as the user has 'access CiviCRM backend and API' permission, the error will not be triggered. But if the user doesn't have that permission, then the error will be triggered (regardless of whether or not they have 'access deleted contacts'). After applying the patch, I'm not seeing any difference. I'm not sure what's going on but will work on a test to try to demonstrate the behavior (or uncover something dumb I may be doing). |
Hi all, I've finally finished the review and it's surprisingly messy for what seems like such a simple change. r-eplain: issue: See below. Wah, the explanation is no longer true - maybe it could be updated with a preface "In previous versions" and a final sentence "Also, this change makes querying on There is some subtle change to the Api4 in master compared with version 5.39 making the original issue less urgent. Now, as long as you have "access CiviCRM" permissions, you won't get the error when you call Api4 with However, I still think this change is an important improvement. Consider this scenario:
Before the change: You get the first record in the database that is not deleted (unexpected). That's because the After the change: You get no results (expected) And lastly, I was a bit surprised that I could access the phone bank without "access CiviCRM" permissions simply by knowing the right URL, but I don't think this is a security concern since:
|
Thanks for the review @jmcclelland - based on your review this ought to get merged, and IMO should be merged into 5.45 so people stop getting tripped up by the unexpected behavior. |
Overview
Fixes https://lab.civicrm.org/dev/core/-/issues/2507 by reverting the commit from #17721.
Technical Details
This reverts commit d2ff128.
ACLs for accessing deleted contacts are already enforced in the query, so this field was being hidden for UI purposes not ACL purposes.
It had the unfortunate side-effect of crashing any API call using
is_deleted
in the WHERE clause for non-permissioned users.It would be nice to hide it from SearchKit for non-permissioned users, but not mission-critical, and it's far more critical for us to prevent the crashes documented in https://lab.civicrm.org/dev/core/-/issues/2507.