Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 4.7.2
-
Fix Version/s: Unscheduled
-
Component/s: Core CiviCRM
-
Labels:
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Needs Funding
Description
When I give users the privilege of viewing their own dashboard, the dashboard link appears but when accessing it, I get
"Sorry but we are not able to provide this at the moment.
API permission check failed for Group/get call; insufficient permission: require access CiviCRM
Return to home page."
Enabling "access CiviCRM" also give them access to the API and the Backend where they can view their contact record which has a boatload of information they don't necessarily need to see as well as edit their contact info even though the "Edit My Contact" privilege is not enabled which is IMHO a huge security issue.
I did try to look for the code that specifies "access CiviCRM" for the Group/get call but I'm not sure where in the jungle that may be lurking. If you have any ideas on where the privileges for calls are (or should be) defined, I am willing to work on it.