Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.4.14, 4.6.4
-
Component/s: Core CiviCRM
-
Labels:
-
Documentation Required?:None
-
Funding Source:Contributed Code
Description
When using ACL's to protect data, information is available that should not be via the "relationship" tab on the contacts profile page. I can't check this on the demo site due to drupal permissions on the demo user, but have tested on vanilla drupal civi installs for d7 civi4.4 & civi 4.6
reproduce by:
- create new drupal user with a role that can Access Civicrm and CiviCRM: view my contact (so user ONLY has access to own contact page)
- create relationship from the new user to the uid user (or any other)
- log in with the new users credentials
- view the new users profile page > relationships tab
this new user, weith no rights to access anyone but their own details now has access to the uid1 (or other) users email and phone number.
Furthermore, the new user can edit the relationship and enable the "can view and update information for" permissions to gain editing access to any contacts that they have a relationship to.
This seems like a hole in civi's security / protection of data. The ACL bit in the title was because this was noticed with ACL's set - but given that this happens with no access to civi's contacts other than *CiviCRone numbers are considered sensitive information.
This also gives the ability to give editing rights to anyone that has a relationship to my employer, for instance.
Would you guys say that it is fair to say that this is a data protection issue?
