CRM-12675 Contribution activities shown to users without permission

    Details

    • Type: Bug
    • Status: Done/Fixed
    • Priority: Major
    • Resolution: Fixed/Completed
    • Affects Version/s: 4.3.3
    • Fix Version/s: 4.7
    • Component/s: CiviContribute
    • Labels:
    • Documentation Required?:
      None
    • Funding Source:
      Contributed Code

      Description

      If you don't give a (drupal) role any of the Civiconrtibute permissions or permission to view or delete activities, contribution activities can still be searched for and found. Although those activities are properly hidden when the activity tab is viewed for the contact that made the contribution.

      This is a major security problem, as it allows seemingly anybody with Civi access to see all contributions, who made them, and how much they were for.

        Attachments

          Activity

          [CRM-12675] Contribution activities shown to users without permission
          Donald A. Lobo added a comment -


          Can you please investigate and submit a patch for this issue. We can help out on IRC

          Joseph Bayly added a comment -

          Dude, I don't even know PHP. I help out how I can. This report was me helping out how I could. Sorry I can't do more.

          Donald A. Lobo added a comment -


          for the short term, i would recommend that those users are disabled from viewing activities.

          Jake Martin White added a comment -

          This issue has caused some problems for me also. Some orgs want to hide sensitive financial data from non-fundraising staff, but still have other data visible on donor contacts (e.g. data relating to events, volunteer profiles, case history, etc.).

          As Joseph flagged, all 'CiviContribute' activity types are filtered out from the 'Activity' tab for users without the 'access CiviContribute' permission. However, they are not filtered out from Activity search or Activity reports.

          I would be happy to submit a patch on this issue if one would be welcomed. I believe the solution will touch:

          • CRM/Activity/Selector/Search.php
          • CRM/Report/Form/Activity.php
          Coleman Watts added a comment -

          Thanks Jake, let us know if you have any questions while putting a patch together.

          Jake Martin White added a comment -
          David Greenberg added a comment -

          The Activity Details report throws a fatal error if a user other than user id = 1 tries to access it (see backtrace below)

          If I remove lines 600 - 604, the report will run (i.e. revert that part of PR 6012).

          After the fatal, this notice appears which is related:
          Notice: Undefined index: civicrm_option_value in CRM_Report_Form_Activity->where() (line 602 of /Users/dgg/git/crm_v4.7/CRM/Report/Form/Activity.php).

          To reproduce

          • login w/ administer CiviCRM permissions and update the Activity Details report instance Access to 'view all contacts'.
          • now login as user w/ access CiviCRM, access CiviReport, access Report Criteria, view all contacts
          • go to Activity Details instance (civicrm/report/instance/3?reset=1)
                • backtrace —
                  You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'IS NULL OR .component_id <> 7) AND (.component_id IS NULL OR .component_id <> ' at line 16
          Jitendra Purohit added a comment -

          checked the PR, works fine.

            People

            • Assignee:
              Jitendra Purohit
              Reporter:
              Joseph Bayly

              Dates

              • Created:
                Updated:
                Resolved: