Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-5303

Searchbox displays all contacts, independently of ACLs

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Duplicate
          • Affects Version/s: 3.0.1
          • Fix Version/s: None
          • Component/s: CiviCRM Search
          • Labels:
            None

            Description

            When stopping on the searchbox in the top bar (like after pressing the down-arrow), the auto-complete feature lists all contacts, even if the user does not have a view access to all contacts. This is an important security issue in my opinion, as it discloses the complete database to non-authorized users.

            I believe there is a serious issue behind this, as read-rights seem to be verified in the GUI part and not in the data-access layer. I suggest to change this in the next major release.

              Attachments

                Activity

                  People

                  • Assignee:
                    lobo Donald A. Lobo
                    Reporter:
                    keria Andras Keri
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    0 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:

                      Time Tracking

                      Estimated:
                      Original Estimate - 2 hours
                      2h
                      Remaining:
                      Remaining Estimate - 2 hours
                      2h
                      Logged:
                      Time Spent - Not Specified
                      Not Specified