[CRM-19919] Users can edit contact even if the necessary CMS permission isn't granted - CiviCRM Issue Tracker

Details

Type: Security Advisory
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 4.6.24
Fix Version/s: None
Component/s: None
Labels:
None

Versioning Impact:
None (no code merged)
Documentation Required?:
None
Funding Source:
Needs Funding
Verified?:
No

Description

In testing the Dashboard feature I disabled the "edit my contact" permission for authenticated users however my test user is able to edit any relatives that are displayed in the user's dashboard even though he cannot edit his own record.
Seemingly the edit button should not appear for his relatives just as it does not for his own records.

See images

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

1E7at.png
2017-01-24 6:49
61 kB
Yosef Romano
4ZPzG.png
2017-01-24 6:49
48 kB
Yosef Romano
TUDbh.png
2017-01-24 6:49
63 kB
Yosef Romano
UuBIH.png
2017-01-24 6:49
36 kB
Yosef Romano
UXzcm.png
2017-01-24 6:49
74 kB
Yosef Romano

Activity

People

Assignee:

Unassigned

Reporter:

Yosef Romano

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2017-01-24 6:49

Updated:

2017-10-18 16:19