Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-12747

Security Issue: Any user with "Access CiviCRM" can view contributions

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed/Completed
    • Affects Version/s: 4.3.3
    • Fix Version/s: 4.4.0
    • Component/s: CiviCRM Search
    • Labels:
      None

      Description

      All of the contribution-related custom searches that come packaged with CiviCRM, allow any user with "Access CiviCRM" permission to run and view those contribution custom searches.

      To reproduce:
      1) Create a user with a role that allows access to "Access CiviCRM" and "View all Contacts". Do NOT give permission to anything related to CiviContribute.

      2) Log in as this new user

      3) Go to the URL: http://mygroup.org/civicrm/contact/search/custom/list?reset=1

      4) Click "Find Contribution Amounts by Tag" and then click search. You can see all contribution records,

      The affected custom searches:

      • Find Contribution Amounts by Tag
      • Contributions made in Year X and not Year Y
      • Price Set Details for Event Participants ( this is borderline, as it does not show amounts, but amounts can be determined from the event info page)
      • Contribution Aggregate
      • Event Aggregate

        Attachments

          Activity

            People

            • Assignee:
              pratik.joshi Pratik Joshi
              Reporter:
              sgladstone Sarah Gladstone
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: