Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-12675

Contribution activities shown to users without permission

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.3.3
          • Fix Version/s: 4.7
          • Component/s: CiviContribute
          • Labels:
          • Documentation Required?:
            None
          • Funding Source:
            Contributed Code

            Description

            If you don't give a (drupal) role any of the Civiconrtibute permissions or permission to view or delete activities, contribution activities can still be searched for and found. Although those activities are properly hidden when the activity tab is viewed for the contact that made the contribution.

            This is a major security problem, as it allows seemingly anybody with Civi access to see all contributions, who made them, and how much they were for.

              Attachments

                Activity

                  People

                  • Assignee:
                    jitendra.purohit Jitendra Purohit
                    Reporter:
                    jtbayly Joseph Bayly
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    6 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: