From cc4776933e85e977702876dbff86163d3604b197 Mon Sep 17 00:00:00 2001 From: eileen Date: Thu, 29 Aug 2019 10:59:18 +1200 Subject: [PATCH] Open up permissions on Dedupe.getduplicates Currently the action Dedupe.getduplicates is defaulting to 'administer CiviCRM'. The function manages permissions internally (ie. you can't retrieve contacts you don't have permission to see) so the function itself can have fairly open permissions - hence I went for 'access CiviCRM' rather than 'merge duplicate contacts' - it might even be argued this should be open & rely solely on contact ACLs but I have not gone that far This function is part of moving towards api based rather than form based logic. It is not in use in core yet outside tests. --- CRM/Core/Permission.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php index fabe79767d79..67af0c44c17c 100644 --- a/CRM/Core/Permission.php +++ b/CRM/Core/Permission.php @@ -973,6 +973,10 @@ public static function getEntityActionPermissions() { ], ]; + $permissions['dedupe'] = [ + 'getduplicates' => ['access CiviCRM'], + ]; + // CRM-16963 - Permissions for country. $permissions['country'] = [ 'get' => [