Add "priority" column to ACLs and support ACL rule precedence #26592
Conversation
|
(Standard links)
|
seamuslee001
force-pushed
the
acl_rule_weight
branch
from
a3b4a1a to
7b92ef6
Compare
CRM/ACL/BAO/ACL.php
Outdated
| FROM civicrm_acl_cache c, civicrm_acl a | ||
| WHERE c.acl_id = a.id | ||
| AND a.is_active = 1 | ||
| AND a.object_table = %1 | ||
| AND a.id IN ( $aclKeys ) | ||
| AND a.deny = 1 | ||
| GROUP BY a.operation,a.object_id | ||
| GROUP BY a.operation,a.object_id, a.weight |
There was a problem hiding this comment.
Why are you grouping by weight? I would think you would want to order by weight instead.
CRM/ACL/BAO/ACL.php
Outdated
| @@ -530,22 +530,37 @@ private static function loadDenyIDs(int $contactID, string $tableName, int $type | |||
| $aclKeys = array_keys($acls); | |||
| $aclKeys = implode(',', $aclKeys); | |||
| $query = " | |||
| SELECT a.operation, a.object_id | |||
| SELECT a.operation, a.object_id, a.weight | |||
There was a problem hiding this comment.
I'm a little concerned about this query causing a crash in an upgrade situation when the column hasn't been added yet. DAO::getSupportedFields() is your friend.
colemanw
changed the title
CRM/ACL/Form/ACL.php
Outdated
| @@ -164,6 +165,7 @@ public function buildQuickForm() { | |||
| 0 => ts('Allow'), | |||
| 1 => ts('Deny'), | |||
| ]); | |||
| $this->add('text', 'priority', ts('Priority')); | |||
There was a problem hiding this comment.
| $this->add('text', 'priority', ts('Priority')); | |
| $this->add('number', 'priority', ts('Priority')); |
templates/CRM/ACL/Page/ACL.tpl
Outdated
| @@ -31,6 +31,7 @@ | |||
| <th>{ts}Description{/ts}</th> | |||
| <th>{ts}Enabled?{/ts}</th> | |||
| <th>{ts}Mode{/ts}</th> | |||
| <th>{ts}Weight{/ts}</th> | |||
There was a problem hiding this comment.
| <th>{ts}Weight{/ts}</th> | |
| <th>{ts}Priority{/ts}</th> |
| @@ -28,6 +28,7 @@ class CRM_Upgrade_Incremental_php_FiveSixtyFour extends CRM_Upgrade_Incremental_ | |||
| * The version number matching this function name | |||
| */ | |||
| public function upgrade_5_64_alpha1($rev): void { | |||
| $this->addTask('Add weight column onto ACL table', 'addColumn', 'civicrm_acl', 'priority', 'int NOT NULL DEFAULT 0'); | |||
There was a problem hiding this comment.
| $this->addTask('Add weight column onto ACL table', 'addColumn', 'civicrm_acl', 'priority', 'int NOT NULL DEFAULT 0'); | |
| $this->addTask('Add priority column onto ACL table', 'addColumn', 'civicrm_acl', 'priority', 'int NOT NULL DEFAULT 0'); |
Add in upgrade step Rename field to be priority and add in upgrade guards as per Coleman Updates as per discussion with coleman
seamuslee001
force-pushed
the
acl_rule_weight
branch
from
66ccb70 to
bc6e647
Compare
CRM/ACL/BAO/ACL.php
Outdated
| $orderBy = 'a.object_id'; | ||
| $hasPriorty = FALSE; | ||
| if (array_key_exists('priority', CRM_ACL_BAO_ACL::getSupportedFields())) { | ||
| $select .= ',a.priority'; |
There was a problem hiding this comment.
I don't think this needs to be selected.
CRM/ACL/BAO/ACL.php
Outdated
| if (array_key_exists('priority', CRM_ACL_BAO_ACL::getSupportedFields())) { | ||
| $select .= ',a.priority'; | ||
| $orderBy .= ',a.priority'; | ||
| $hasPriority = TRUE; |
…function as per Coleman
seamuslee001
force-pushed
the
acl_rule_weight
branch
from
2061111 to
b2f5462
Compare
|
Ok great, this has passed review and tests are passing. |
|
Hi there, today I tested the newest implementation of the weighting functionality in CiviCRM 5.65.0 and found that I wasn't able to set up my initial usecase due to what seems to be a bug. My usecase included three ACLs: ACL rule 1: Allow access to all custom field groups for all authenticated users → Priority 1 I used the new weighting functionality but didn't get the results I expected. I expected that priority 3 would have precedence over 2 (and 2 over 1), in other words: The higher the number, the higher the priority. But with this setup all users where able to access all custom fields. I then made some tests and realized:
So my guess is that somewhere in the ACL code the weighting logic is somehow flipped for "All custom field groups". This would explain why mixing rules for "All custom field groups" and rules for specific custom field groups in my test setup didn't work. To my regret, this means I won't be able to show the new functionality to a live audience at CiviCamp in Leipzig next monday (2023-09-11). If there's any chance someone would be able to deliver a quick fix that would be absolutely awesome. In any case - I hope my analysis makes sense and shed some light onto a potential bug. Let me know! :) Best regards, Tobias |
Overview
This extends the work done by #26041 by adding in the concept of a priority to ACL rules. This allows for allow or deny rules to take precedence by the priority they are given.
Before
Deny rules always override allow rules without any real flexibility
After
Flexibility
ping @colemanw