CiviCRM
  1. CiviCRM
  2. CRM-12747

Security Issue: Any user with "Access CiviCRM" can view contributions

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed/Completed
    • Affects Version/s: 4.3.3
    • Fix Version/s: 4.4.0
    • Component/s: CiviCRM Search
    • Labels:
      None
    • Is MIH?:
      No
    • Sprint:
      No

      Description

      All of the contribution-related custom searches that come packaged with CiviCRM, allow any user with "Access CiviCRM" permission to run and view those contribution custom searches.

      To reproduce:
      1) Create a user with a role that allows access to "Access CiviCRM" and "View all Contacts". Do NOT give permission to anything related to CiviContribute.

      2) Log in as this new user

      3) Go to the URL: http://mygroup.org/civicrm/contact/search/custom/list?reset=1

      4) Click "Find Contribution Amounts by Tag" and then click search. You can see all contribution records,

      The affected custom searches:
      - Find Contribution Amounts by Tag
      - Contributions made in Year X and not Year Y
      - Price Set Details for Event Participants ( this is borderline, as it does not show amounts, but amounts can be determined from the event info page)
      - Contribution Aggregate
      - Event Aggregate

        Activity

        Hide
        Donald A. Lobo added a comment -

        Custom searches need to implement their own permissioning. Would help if you can contribute back and provide a patch for each of those searches.I suspect a simple patch might be to key it to "access" permissions on the respective component
        Show
        Donald A. Lobo added a comment - Custom searches need to implement their own permissioning. Would help if you can contribute back and provide a patch for each of those searches.I suspect a simple patch might be to key it to "access" permissions on the respective component
        Hide
        Pratik Joshi added a comment -
        Show
        Pratik Joshi added a comment - submitted PR: https://github.com/civicrm/civicrm-core/pull/944 .
        Hide
        Sarah Gladstone added a comment -
        Pratik - Would it be possible for a developer to implement a custom search that requires permission to multiple components? Such as the user needs permission to access both CiviContribute and CiviPledge?
        Show
        Sarah Gladstone added a comment - Pratik - Would it be possible for a developer to implement a custom search that requires permission to multiple components? Such as the user needs permission to access both CiviContribute and CiviPledge?
        Hide
        Kurund Jalmi added a comment -
        Sarah,

        check https://github.com/civicrm/civicrm-core/pull/944/files ( it's already done for Event Aggregate custom search )
        Show
        Kurund Jalmi added a comment - Sarah, check https://github.com/civicrm/civicrm-core/pull/944/files ( it's already done for Event Aggregate custom search )

          People

          • Assignee:
            Pratik Joshi
            Reporter:
            Sarah Gladstone
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development