Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 1.6
-
Fix Version/s: 1.7
-
Component/s: None
-
Labels:None
Description
Prevent Profiles from being used via profile path (civicrm/profile/...) IF "Used For" Profile checkbox is not true for that uf_group (under Admin >> Profiles >> Settings). This will prevent sites from inadvertantly exposing DB field values and listings to roles/unauth users when they configure profiles for other purposes (e.g. User Registration, Contribution pages ,etc).
For example, if my "Contributor Info" profile (gid = 2 in the sample dataset) does NOT have the "Profile" checkbox selected (under Settings) - then if I attempt to render this profile for listings, edit, create - I should get an error rather than the form/view page (e.g. for paths = civicrm/profile?reset=1&gid=2; civicrm/profile/create?reset=1&gid=2; civicrm/profile/edit?reset=1&gid=2
"This profile is not configured for the requested action. Contact the site administrator if you need assistance."
This restriction should also be applied when multiple profiles are rendered (e.g. when no gid= is passed).
NOTE: This change will not prevent the non-authenticated users from seeing listings, but it will allow site admin's to create profiles for other purposes (e.g. Search Results, User Reg etc) which include fields that they don't want exposed to "listings". We will be looking at field level permissioning for profiles in a future release.
— Original post from David Geilhufe ----
(1) Uncheck all options for a profile... user reg, profile, etc. logically this is the same as disabling the profile, however the page
http://demo.civicrm.org/drupal/civicrm/profile/create?reset=1&gid=1 AND http://demo.civicrm.org/drupal/civicrm/profile/edit?reset=1&gid=1 still displays. If profile is unchecked, you should not be able to "use it for customized listings and view screens for the civicrm/profile path"
[I can see how this might be considered a feature since you can disable a profile and everything works fine, but it is a little confusing ]
(2) Second bug could not be tested on the demo due to another bug--
Blocker:
(0) User auth/auth. User has only CiviCRM profile and civicontribute permissions, no others.
(1) Create a profile.
(2) go to /civicrm/profile/create?reset=1&gid=% [tested with multiple GIDs]
(3) Enter information and hit submit:
Sorry. A non-recoverable error has occurred.
is not of the type Positive
Return to CiviCRM menu.
SECOND bug:
Exploit to access entire CiviCRM database via the profile listings functionality [could not be tested on demo due to blocker, but tested on civicspacelabs.org]:
(0) User auth/auth. User has only CiviCRM profile and civicontribute permissions, no others.
(1) Create profile.
(2) Uncheck ALL profile functionality - user reg, profile, etc.
(3) go to /civicrm/profile/create?reset=1&gid=%
(4) enter information and save
(5) get confirmation message and a "return to listings" hyperlink
(6) click on hyperlink and get a listing of ALL civicrm records in the database with clear text email addresses.