Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-6013

REST API allows for deletion of the operator's contact

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Minor
          • Resolution: Fixed/Completed
          • Affects Version/s: 3.1.3
          • Fix Version/s: 3.2
          • Component/s: None
          • Labels:
            None

            Description

            It seems the contact whose credentials are used for REST API login is able to delete themselves over that REST API connection.

            Steps to replicate:

            1. Authenticate through the REST API with some credentials.
            2. Try to delete the related contact via a subsequent API call.

            Result: the contact gets deleted; the REST API stops working (for that pair of credentials).

            Expected result: the contact does not get deleted.104

              Attachments

                Activity

                  People

                  • Assignee:
                    lobo Donald A. Lobo
                    Reporter:
                    shot Piotr Szotkowski
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: