Details
-
Type:
Patch
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.1.1
-
Fix Version/s: 4.1.2
-
Component/s: None
-
Labels:None
Description
I'm seeing people create reports which allow anonymous/ authenticated user access to internal data because they don't set the permissions when creating a report. I think it should default to something more restrictive - 'CiviReport: access CiviReport' seems like the logical level - see below
Index: CRM/Report/Form/Instance.php
===================================================================
— CRM/Report/Form/Instance.php (revision 39574)
+++ CRM/Report/Form/Instance.php (working copy)
@@ -174,6 +174,8 @@
$instanceID = $form->getVar('_id');
$navigationDefaults = array();
+ $permissions = array_flip(CRM_Core_Permission::basicPermissions( ));
+ $defaults['permission'] = $permissions['CiviReport: access CiviReport'];
$config = CRM_Core_Config::singleton();
$defaults['report_header'] = $report_header = "<html>
<head>