Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.4.5
-
Fix Version/s: 4.5
-
Component/s: CiviEvent, CiviMail, CiviReport, Core CiviCRM
-
Labels:None
Description
Someone without Administer CIviCRM permission can get to some pages that start with civicrm/admin as detailed below.
1. A logged in user w/o Administer CIviCRM but with Access Event permissions can access and make changes to the following pages if they go directly to the URL:
/civicrm/admin/price?reset=1
/civicrm/admin/price?reset=1&action=add.
ie, you can create or alter a price set without Access Civicrm or Administer Civicrm permissions.
2. The following cases are not as clear but I think a logged in user w/o Administer CIviCRM but with Access CiviMail permissions can access and make changes to the following pages if they go directly to the URL:
/civicrm/admin/mailSettings?reset=1
/civicrm/admin/component?reset=1
/civicrm/admin/mail?reset=1
3. A logged in user w/o Administer CIviCRM but with Access Report permissions can access the following pages if they go directly to the URL
civicrm/admin/report/options/report_template?reset=1
civicrm/admin/report/template/list?reset=1
I am not sure if they can actually do any harm - there were too many reports for me to test and perhaps Access CiviReports is a special case where they should be able to do that anyway.
This came from CRM-14841