Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-8609

Any users including non-logged in public can view map pages and therefore contact name and address info for any contact id

    Details

    • Type: Bug
    • Status: Done/Fixed
    • Priority: Major
    • Resolution: Fixed/Completed
    • Affects Version/s: 3.4.5, 4.0.5
    • Fix Version/s: 3.4.6
    • Component/s: Core CiviCRM
    • Labels:
      None

      Description

      The mapping pages do not abide by any permissioning in Joomla. therefore mapping pages and contact information are publically available on all sites by using a standard url string and putting in any contact id.

      Example url is:

      http://joomla.demo.civicrm.org/index.php?option=com_civicrm&task=civicrm/profile/map&reset=1&pv=1&cid=2&gid=1

      This is available even if the mapping is not enabled on the profile.

      See forum topic:

      http://forum.civicrm.org/index.php/topic,20965.0.html

      Need to have some sort of field with the mapping choice on the profile to say 'public pages' or 'user & user admin' to show whether the mapping is viewable by non-users, also to check whether mapping is enabled for the profile or not.

      Hope that is enough info!

      Probably affects all previous versions too, not sure what priority this should have as there is no mention of data security in the level info - please feel free to change as you see fit.

        Attachments

          Activity

            People

            • Assignee:
              lobo Donald A. Lobo
              Reporter:
              davesage Dave Sage
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: