Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[REF] Apply fix for CRM-607 for when building the select section of t… #16627

Merged
merged 1 commit into from
Feb 27, 2020
Merged

[REF] Apply fix for CRM-607 for when building the select section of t… #16627

merged 1 commit into from
Feb 27, 2020

Conversation

seamuslee001
Copy link
Contributor

…he query as well as in where

Overview

This aims to apply the fix for CRM-607 to the select function as well as in the Where clause. Australian Greens found a problem where by a smart group was referencing 3 fields that were no longer existing in the database this caused problems because it would try and join but as NULL was being passed to joinCustomTableForField then it caused a syntax error

Before

Syntax error can be caused in a specific way

After

No syntax error

ping @andrew-cormick-dockery @johntwyman @eileenmcnaughton

@civibot
Copy link

civibot bot commented Feb 26, 2020

(Standard links)

@civibot civibot bot added the master label Feb 26, 2020
@seamuslee001
Copy link
Contributor Author

Jenkins re test this please

@andrew-cormick-dockery
Copy link
Contributor

I have reservations about smart groups suddenly producing different results in certain circumstances (instead of producing DB syntax errors). I think the long term fix for this is to disable smart groups which make specific references to deleted custom groups and/or fields at the point in time that the field is deleted.

Having said that, I believe we're better off merging this PR right now than waiting for the above work to be completed.

@eileenmcnaughton
Copy link
Contributor

This worries me a lot - if I create a smart group that says only people with custom field x can view Donald Trump's tax returns (which of course happens to be stored as an activity in the database) & then someone deletes custom group x then the result should be no-one can view his returns -not that the whole database can - which I believe would be the outcome of this - a hard error feels better than a security breach

@seamuslee001
Copy link
Contributor Author

@eileenmcnaughton tho when we build the where clause https://github.com/civicrm/civicrm-core/pull/16627/files#diff-f7844105b59390da9d2993f5c8e93fd0R230 we are already achieving essentially the same result. This is just putting it for when we build the select clause which seems to make things consistent tbh

@eileenmcnaughton
Copy link
Contributor

@seamuslee001 so it feels like a security bug already exists....

@seamuslee001
Copy link
Contributor Author

@eileenmcnaughton i think its always been that way but this seemed to get caused by the upgrade were a bunch of _relative = 0 keys were added to the formValues

@eileenmcnaughton
Copy link
Contributor

@seamuslee001 well I'm deeply uncomfortable with us allowing custom groups to work if any of their WHERE fields are disabled - this is select so I can see your case of it being 'not worse' but @colemanw I think API v4 smart searches should hard-fail if any fields no longer exist....

@eileenmcnaughton eileenmcnaughton merged commit 7592d3a into civicrm:master Feb 27, 2020
@eileenmcnaughton eileenmcnaughton deleted the aug_custom_fields_fix branch February 27, 2020 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
master
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@seamuslee001 @andrew-cormick-dockery @eileenmcnaughton