Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-12920

Edit all contacts permission overrides CiviEvent/CiviContrib permissions in search

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.3.4
          • Fix Version/s: 4.6
          • Component/s: CiviCRM Profile
          • Labels:
          • Documentation Required?:
            None

            Description

            Users who do not have permission to edit event participation records can circumvent access controls

            To reproduce:

            Have a user who does not have "CiviEvent: edit event participants" role
            Have a profile which can be used for updating participant records.
            Search for Event participants
            From the actions drop down, select "Batch Update Participants via Profile"
            Update should not be possible if user does not have edit participants permission.

              Attachments

                Activity

                  People

                  • Assignee:
                    yashodha Yashodha Chaku
                    Reporter:
                    paulc paul campbell
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: