Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-10934

Giving a user CiviCRM: View Profile Permission gives them access to all records via URL manipulation

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Critical
          • Resolution: Won't Fix
          • Affects Version/s: 4.2.1
          • Fix Version/s: None
          • Component/s: CiviCRM Profile

            Description

            Giving a user CiviCRM: View Profile Permission gives them access to all records via URL manipulation. This is a slightly different issue than the previously reported issue in CRM-10853 in which one permission provides two separate permissions.
            View Profile is basically bypassing the "CiviCRM: View all Contacts" permission.
            Ideally CiviCRM: View Profile should be further restricted by underlying permissions however I don't believe there is an appropriate Core permission other than perhaps "CiviCRM: Access CiviCRM" that would apply.

              Attachments

                Activity

                  People

                  • Assignee:
                    lobo Donald A. Lobo
                    Reporter:
                    lola_slade Lola Slade
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    4 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: