[CRM-12675] Contribution activities shown to users without permission - CiviCRM Issue Tracker

Details

Type: Bug
Status: Done/Fixed
Priority: Major
Resolution: Fixed/Completed
Affects Version/s: 4.3.3
Fix Version/s: 4.7
Component/s: CiviContribute
Labels:
- PatchSubmitted

Documentation Required?:
None
Funding Source:
Contributed Code

Description

If you don't give a (drupal) role any of the Civiconrtibute permissions or permission to view or delete activities, contribution activities can still be searched for and found. Although those activities are properly hidden when the activity tab is viewed for the contact that made the contribution.

This is a major security problem, as it allows seemingly anybody with Civi access to see all contributions, who made them, and how much they were for.

Attachments

Issue Links

links to

PR: civicrm-core#6836: CRM-12675: Contribution activities shown to users without permission

Activity

[CRM-12675] Contribution activities shown to users without permission

Donald A. Lobo added a comment - 2013-05-21 20:39

Can you please investigate and submit a patch for this issue. We can help out on IRC

Joseph Bayly added a comment - 2013-05-21 20:56

Dude, I don't even know PHP. I help out how I can. This report was me helping out how I could. Sorry I can't do more.

Donald A. Lobo added a comment - 2013-05-21 21:14

for the short term, i would recommend that those users are disabled from viewing activities.

Jake Martin White added a comment - 2015-03-07 3:19

This issue has caused some problems for me also. Some orgs want to hide sensitive financial data from non-fundraising staff, but still have other data visible on donor contacts (e.g. data relating to events, volunteer profiles, case history, etc.).

As Joseph flagged, all 'CiviContribute' activity types are filtered out from the 'Activity' tab for users without the 'access CiviContribute' permission. However, they are not filtered out from Activity search or Activity reports.

I would be happy to submit a patch on this issue if one would be welcomed. I believe the solution will touch:

CRM/Activity/Selector/Search.php
CRM/Report/Form/Activity.php

Coleman Watts added a comment - 2015-03-07 16:03

Thanks Jake, let us know if you have any questions while putting a patch together.

Jake Martin White added a comment - 2015-06-15 1:09

Created pull request:
https://github.com/civicrm/civicrm-core/pull/6012

David Greenberg added a comment - 2015-09-28 3:19

The Activity Details report throws a fatal error if a user other than user id = 1 tries to access it (see backtrace below)

If I remove lines 600 - 604, the report will run (i.e. revert that part of PR 6012).

After the fatal, this notice appears which is related:
Notice: Undefined index: civicrm_option_value in CRM_Report_Form_Activity->where() (line 602 of /Users/dgg/git/crm_v4.7/CRM/Report/Form/Activity.php).

To reproduce

login w/ administer CiviCRM permissions and update the Activity Details report instance Access to 'view all contacts'.
now login as user w/ access CiviCRM, access CiviReport, access Report Criteria, view all contacts
go to Activity Details instance (civicrm/report/instance/3?reset=1)
- - - backtrace —
      You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'IS NULL OR .component_id <> 7) AND (.component_id IS NULL OR .component_id <> ' at line 16

Yashodha Chaku added a comment - 2015-09-29 11:03

PR: https://github.com/civicrm/civicrm-core/pull/6836

Jitendra Purohit added a comment - 2015-09-29 11:04

checked the PR, works fine.

People

Assignee:

Jitendra Purohit

Reporter:

Joseph Bayly

Dates

Created:

2013-05-21 20:36

Updated:

2015-09-29 11:42

Resolved:

2015-09-29 11:42