dev/core#1517 - Permission error on event info page for anonymous users

[jitendrapurohit]

Overview

Fix permission error on event info page.

Before

Giving anonymous "access CiviEvent" in addition to "view event info" cause them to get "API permission check failed for Event/get call; insufficient permission: require access CiviCRM".

After

Fixed.

Technical Details

Manage event links should only be loaded for users having edit all events permission.

Comments

Gitlab - https://lab.civicrm.org/dev/core/issues/1517

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[eileenmcnaughton]

@jitendrapurohit how does this work - the description implies you are loosening permissions but the code change is a tightening

FWIW I think it's best to define perms in the menu xml for the url

[jitendrapurohit]

@eileenmcnaughton The line modified in this PR is for building the manage event links on the event info page -

Before this change, only access CiviEvent was used to check and load these links using CRM_Event_Page_ManageEvent::tabs($enableCart). This function uses Event get call which failed for anonymous users.

As these links are displayed on tpl to users having edit all events permission, the PR ensures the same on php side too.

[eileenmcnaughton]

OK - that makes sense now