Details
-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 4.4.6, 4.5
-
Fix Version/s: Unscheduled
-
Component/s: CiviReport
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
Description
Reports whose access is restricted via the "permission" field are hidden both in the "All Reports" list (/civicrm/report/list?reset=1), and also are not available for the dashboard. However, reports who access is restricted via "ACL Group/Role" show up as available for the dashboard, a potential information leakage.
I did some digging, and it seems that the issue is at the schema level - reports have a "permission" and "grouprole" field, but dashboard records only have a "permission" field. To implement correct behavior, we'd need to add "grouprole" to the dashboard entity, store it when saving the report, and modify Core_BAO_Dashboard::CheckPermissions.
I'd take a first crack at it, but there's a lot here I've never done! However, I'm available for testing, and I could implement the CheckPermissions portion if the rest happened.