Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-6315

Adding a required profile to Drupal user registration allows unauthenticated users to alter contact data

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.1.3
    • Fix Version/s: 4.3.0
    • Component/s: Core CiviCRM
    • Labels:
      None

      Description

      Summary: if you add a CiviCRM profile and make it a requirement for Drupal user registration, AND you have Drupal user registration set to "Visitors can create accounts but administrator approval is required" ... if a user registers a Drupal account with an email address that already exists in the CiviCRM database, it will update the CiviCRM contact, even though their Drupal user account is in a "blocked" state. What this means is that any unauthenticated person can modify the contact data of anyone in the CiviCRM database only by knowing their email address.

      One possible solution is to never display a required CiviCRM profile on the Drupal user registration page when admin approval is required for the registering a Drupal user. Perhaps the form where one adds the profile as required to the registration page should check this Drupal setting in the formRule() function or something similar, and prevent a user from making that setting as long as Drupal user registration is moderated.

      But even that aside, it seems dangerous to allow any unverified/unauthenticated person modify contact data, either accidentally or maliciously, simply be registering a Drupal user.

        Attachments

          Activity

            People

            • Assignee:
              lobo Donald A. Lobo
              Reporter:
              nkinkade Nathan Kinkade
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: