Details
-
Type: Bug
-
Status: Done/Fixed
-
Priority: Critical
-
Resolution: Won't Fix
-
Affects Version/s: 4.2.1
-
Fix Version/s: None
-
Component/s: CiviCRM Profile
-
Labels:
Description
Giving a user CiviCRM: View Profile Permission gives them access to all records via URL manipulation. This is a slightly different issue than the previously reported issue in CRM-10853 in which one permission provides two separate permissions.
View Profile is basically bypassing the "CiviCRM: View all Contacts" permission.
Ideally CiviCRM: View Profile should be further restricted by underlying permissions however I don't believe there is an appropriate Core permission other than perhaps "CiviCRM: Access CiviCRM" that would apply.