Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SearchKit - Allow super admins to disable Search Display access checks #20607

Merged
merged 5 commits into from
Jun 17, 2021
Merged

SearchKit - Allow super admins to disable Search Display access checks #20607

merged 5 commits into from
Jun 17, 2021

Conversation

colemanw
Copy link
Member

@colemanw colemanw commented Jun 15, 2021
edited
Loading

Overview

This allows users with 'all CiviCRM permissions and ACLs' to configure a search display to bypass permission checks and display all records to the user.
image

Technical Details

Once a display is set to bypass ACLs, it can only be edited by a super-admin, ordinary admin users will not be able to edit the display or the saved search.

Such a display will not automatically appear on its own page; it must be embedded in an Afform, and the Afform will act as gatekeeper for users to view the display.

Comments

This builds upon the groundwork done in #19797 and #20533

@civibot
Copy link

civibot bot commented Jun 15, 2021

(Standard links)

@civibot civibot bot added the master label Jun 15, 2021
colemanw added 3 commits June 15, 2021 01:50
@colemanw
SearchKit - Regenerate civix file
386a8a6
@colemanw
Change CRUD permissions for SavedSearch and SearchDisplay to 'adminis…
9ac56a7 
…ter CiviCRM data'

By default, the permission was previously 'administer CiviCRM'.
The new permission is a subset for data administrators.
@colemanw
SearchKit - Add acl_bypass column to civicrm_search_display table
bebdb7f 
The new column determines whether permissions will be checked when running a display
@colemanw colemanw force-pushed the searchDisplayAccessBypass branch from caeeada to c18ff7d Compare June 15, 2021 06:32
@colemanw
APIv4 - Preserve field data type when aggregating into an array using…
259207d 
… GROUP_CONCAT

Ensures that e.g. an array of integer fields will be returned as integers and not an array of strings
@colemanw colemanw force-pushed the searchDisplayAccessBypass branch from c18ff7d to 3944657 Compare June 15, 2021 15:30
@colemanw colemanw changed the title WIP SearchKit - Allow super admins to disable Search Display access checks SearchKit - Allow super admins to disable Search Display access checks Jun 15, 2021
@colemanw
SearchKit - Enable super-admins to disable Search Display access checks
5623bf2 
This allows users with 'all CiviCRM permissions and ACLs' to configure a search display
to bypass permission checks and display all records to the user.

Once a display is set to bypass ACLs, it can only be edited by a super-admin,
ordinary admin users will not be able to edit the display or the saved search.

Such a display will not automatically appear on its own page; it must be
embedded in an Afform, and the Afform will act as gatekeeper for users
to view the display.
@colemanw colemanw force-pushed the searchDisplayAccessBypass branch from 3944657 to 5623bf2 Compare June 15, 2021 17:40
seamuslee001
seamuslee001 reviewed Jun 16, 2021
View reviewed changes
ext/search_kit/CRM/Search/Upgrader.php
* Upgrade 1005 - add acl_bypass column.
* @return bool
*/
public function upgrade_1005() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this feels right but just making a point that these Extension upgrades are only run via the Extension Upgrade process not the main upgrade process but it should flag that they need to be done anyway.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we ought to run extension upgrades as part of the main upgrader.

@seamuslee001
Copy link
Contributor

So @colemanw one question on this is that does this still provide any field level permission handling or does that get completely by-passed as well?

@seamuslee001
Copy link
Contributor

@colemanw I tested this on the PR test site and it seems like it works well but want to do more r-run testing and one thing I just considered is that if a search display cannot be used at all if permissions are disabled without embedding on an afform, should the ability to disable permission only show if afform is enabled?

@colemanw
Copy link
Member Author

colemanw commented Jun 16, 2021
edited
Loading

So @colemanw one question on this is that does this still provide any field level permission handling or does that get completely by-passed as well?

ACL will be by-passed, BUT the search display will never show fields that are not configured to be part of the search, and it will never allow filters that are not explicitly part of the select clause or a filter field on the afform. So those security checks will always be performed.

@colemanw
Copy link
Member Author

should the ability to disable permission only show if afform is enabled?

Well, maybe. I didn't want to rule out the possibility of a developer embedding a search display on some other (non-afform) Angular screen tho.

@seamuslee001
Copy link
Contributor

I think my concerns are satisfied here and it worked in my testing merging.

@seamuslee001 seamuslee001 merged commit 183ca91 into civicrm:master Jun 17, 2021
@seamuslee001 seamuslee001 deleted the searchDisplayAccessBypass branch June 17, 2021 07:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seamuslee001 seamuslee001 seamuslee001 left review comments

Assignees
No one assigned
Labels
comp:search-kit has-test master
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@colemanw @seamuslee001