How to test permissions and ACLS in CiviCRM

Written By Allen Shaw

Permission changes in CiviCRM can make for some surprising results.

I don't blame the software. It's meant to be very flexible, which of course means it can be complex.

That’s why I recommend testing carefully any time you make a permissions change.

So how do you do that?

The simple answer is: log in as a regular user — not with your usual admin account, but as a user who has the role that you need to test — and verify that it works as you expect it to.

This process will vary, depending on your CMS:

  • Drupal: Install and use the Masquerade module. Once you've logged in as an administrator, this module provides an easy way to temporarily switch to any other user account, without knowing their password.

  • WordPress: Install and use the User Switching plug-in. It solves exactly the same problem as Drupal’s masquerade module.

  • Joomla: Sorry, there's no such extension for Joomla. The best solution is usually to create a new user account, give it the appropriate user access group, and then login as that user.

(As a general security practice, I don't recommend asking any of your users for their password. There's just too much risk of it being disclosed accidentally.)

By the way, this is also a great way to test anytime one of your users reports some mysterious behavior. Masquerade as that user, and observe it for yourself. This save will save you a whole lot of guesswork.

All the best,
A.

Allen Shaw
Previous

CiviCRM permissions vs ACLs
Next

What’s so hard about CiviCRM permissions?