Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-13272

View Membership page links doesn't respect permissions

          Details

          • Type: Bug
          • Status: Open
          • Priority: Major
          • Resolution: Unresolved
          • Affects Version/s: 4.3.3
          • Fix Version/s: Unscheduled
          • Component/s: CiviMember
          • Labels:
            None
          • Versioning Impact:
            Patch (backwards-compatible bug fixes)

            Description

            It is possible to access a membership view without having contact edit permissions by navigating to /civicrm/membership/view?&id=### I'm not sure if this was intentional or not, but It has come in handy for my usecase as it requires only the CiviMember: access CiviMember permission. However, the blocks that comprise the page link to the civicrm/contact/view/membership pages. and civicrm/contact/view pages. If they don't have permission to do so, these links shouldn't be availaible.

            See http://content.screencast.com/users/talkitivewizard/folders/Jing/media/f5a69a79-e2b1-460d-9c60-28a22343848a/00000331.png

              Attachments

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    generalredneck Allan Chappell
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated: