Details
-
Type:
Improvement
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Won't Fix
-
Affects Version/s: 4.4.19, 4.6.9
-
Fix Version/s: Unscheduled
-
Component/s: CiviContribute
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Needs Funding
Description
Although this is a known issue - and I think it relates to: https://issues.civicrm.org/jira/browse/CRM-16815, the workaround there will not apply to 4.4, as deduping on profiles is limited.
On top of that, it does not feel right to allow anon users to edit / damage the data in a database just by having a list of email addresses.
To re-create:
- create contact (with a name to prove the point)
- create event (free is always useful!)
- ensure civi_register for events perms in the matrix
- register for the event as an anon user, entering a different name to that above but with the same email
- check the contact
- name has changed.
when the profile has many fields, they can all be changed.
This cannot be mitigated using ACL's as giving only "create" perms on the profile to everyone (and removing Drupals Anon perms) still allows the user to edit the changes (although now not the "employer" field)
Does anyone have an idea of how fixable this would be?