Implement CRM_Core_Permission::check('access CiviContribute'))

[deputt]

Please enable limited access to SumFields for certain users e.g. only those who can access CiviContribute.

I did it (not sure if proper or otherwise) by adding the following lines to net.ourpowerbase.sumfields/CRM/Sumfields/Form/SumFields.php just below function buildQuickForm() at line 8:

if (!CRM_Core_Permission::check('access CiviContribute')){
  // This means the user is not allowed to access CiviContribute
  CRM_Core_Session::setStatus(E::ts("Summary Fields is disabled for your account."));
  return;
}

[jmcclelland]

Thanks for the feedback. I see the problem but am not sure the best way to solve it.

If we wanted to restrict access to the summary fields admin configuration, I think that the proper place to do so would be in the xml/Menu/sumfields.xml file. Currently anyone with 'access CiviCRM' privileges can make changes to the summary field settings. I think you might also need 'administer CiviCRM' to see the menu at all, but not 100% sure. I definitely think this would be an improvement - to explicitly require 'administer CiviCRM' privileges in order to administer Summary Fields.

But... I think there is another issue. If someone doesn't have 'access CiviContribute' permissions, they can still access the summary fields custom fields for any contact, thus getting access to some contribution details. I'm not sure it's even possible for an extension to restrict access to a custom field based on a permission.

Civi admins can setup ACLs to do this.

Also, it's not clear what permission to use even if we could do this - some people may only use the CiviEvent related summary fields, not the contribution related ones. So, these folks might want the permission to be 'access CiviEvent' and not 'access CiviContribute'.

Open to suggestions!