Details
-
Type:
Improvement
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Duplicate
-
Affects Version/s: 2.0
-
Fix Version/s: 3.1
-
Component/s: CiviCRM Profile
-
Labels:None
Description
The ajax boxes for contact search and for changing the current employer don't appear to respect the logged in user's permissions i.e. I have a user with permissions only to view a small number of contacts / organisations but when the contact clicks on the Ajax drop-down box the names of a whole lot of other people / organisations that they don't have permission to view appears. Selecting one of them tells them that they don't have permission to view this contact but really they shouldn't see that the contact exists in the database as they don't have rights to them (and in some cases the fact that someone is in the database could be confidential information)
http://forum.civicrm.org/index.php/topic,7058.0.html
One a side note it would be good if there were some additional sandbox logins set up (and set aside for ) testing permissions issues