Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Important
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.6.24, 4.7.18
-
Component/s: CiviMail
-
Security Level: Security - Published
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Contributed Code
-
Verified?:No
Description
It seems /civicrm/mailing/report/event , which is linked from the "(recipients)" link for each mailing on a contact's Mailings tab, isn't ACL-aware. E.g. for event=queue, it uses CRM_Mailing_Event_BAO_Queue::getRows(), which uses a SQL query with no ACL clause. Result: an ACL'd user with "access CiviMail" permission can go to an allowed contact's Mailings tab, find a mailing that was sent to all contacts, click (recipients) and see a list of all recipients' names & emails.
I think the right solution will be to block access to that listing if the user shouldn't have access to that mailing, rather than add an ACL clause to the SQL query, which will give the impression that the mailing had e.g. 1000 recipients (the ones the user is allowed to see) rather than the 50000 that it was actually sent to.
I.e. use the same approach as /civicrm/mailing/report = CRM_Mailing_Page_Report, calling CRM_Mailing_BAO_Mailing::checkPermission() . Have tested this fix successfully on 4.6.24 .
Tim Otten commented: "+1 for calling BAO_Mailing::checkPermission() as part of the miling report"
Currently CRM-20441 is blocking testing the problem/fix on dmaster. But the relevant code appears identical so pretty confident the problem/fix will apply there too.