Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.3.3
-
Fix Version/s: 4.4.0
-
Component/s: CiviCRM Search
-
Labels:None
Description
All of the contribution-related custom searches that come packaged with CiviCRM, allow any user with "Access CiviCRM" permission to run and view those contribution custom searches.
To reproduce:
1) Create a user with a role that allows access to "Access CiviCRM" and "View all Contacts". Do NOT give permission to anything related to CiviContribute.
2) Log in as this new user
3) Go to the URL: http://mygroup.org/civicrm/contact/search/custom/list?reset=1
4) Click "Find Contribution Amounts by Tag" and then click search. You can see all contribution records,
The affected custom searches:
- Find Contribution Amounts by Tag
- Contributions made in Year X and not Year Y
- Price Set Details for Event Participants ( this is borderline, as it does not show amounts, but amounts can be determined from the event info page)
- Contribution Aggregate
- Event Aggregate