Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.1.0, 4.6
-
Fix Version/s: 4.6.5
-
Component/s: Core CiviCRM
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Contributed Code
Description
The ACL does not seem to be respected for the some of the custom searches.
This may be a fairly big problem because access to run a custom searches is also not ACLed so any users with ability to search for contacts could easily circumvent ACL.
Steps to reproduce.
1) Sign in as an ACLed user and go to ROOT/civicrm/contact/search/custom?reset=1&csid=5
2) Search without selecting group
Results: Returns all users. You can carry out actions with these users like Export or Email. I'm not sure if further ACL happens on the list of contact IDs that are sent to tasks but that might mean this is less/more of an issue.
I did some investigation (not very thorough) and this was the only example that I could find, so perhaps not a huge issue, but it seems like this is something that we should fix by ensuring that ACL is added to any custom searches that are shipped with core.
Alternative / additional approach could be reducing the amount of custom searches that are shipped with core once they can be packaged as extensions.