CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • Security issue with profiles
Pages: [1]

Author Topic: Security issue with profiles  (Read 1604 times)

SarahG (FountainTribe)

  • Ask me questions
  • ****
  • Posts: 782
  • Karma: 29
  • CiviCRM version: 4.4.7
  • CMS version: Drupal 6, Drupal 7
  • MySQL version: 5.5
  • PHP version: 5.3
Security issue with profiles
November 13, 2009, 12:11:10 pm
I have created a Joomla menu item pointing to a profile that allows an end-user to update their phone number and name and address.  This part is working.   But, after the user saves their changes there is a link labeled "Back to Listings" (url:  http://demo.mygroup.com/index.php?option=com_civicrm&task=civicrm/profile&force=1&gid=1 ) that shows ALL contacts in the entire system.

The portion of the page that normally displays which smart group was used shows "Displaying contacts where: "  

The  url http://demo.mygroup.com/index.php?option=com_civicrm&task=civicrm/profile&force=1&gid=1 shows all contacts even if the end-user is NOT logged into Joomla

This environment uses Joomla 1.5.14 and CiviCRM 3.0.2

This issue is also affecting the CiviCRM Joomla sandbox. Just try: http://joomla.demo.civicrm.org/index.php?option=com_civicrm&task=civicrm/profile&force=1&gid=1


« Last Edit: November 13, 2009, 12:16:42 pm by sgladstone »
Did I help you? Please donate to the Civi-Make-It-Happen campaign  CiviCRM for mobile devices! 

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: Security issue with profiles
November 13, 2009, 05:02:54 pm
You'll need to customize that TPL and remove the "Back to Listings" link.

To prevent folks from "constructing the link themselves" and seeing a list of contacts, use the "Limit Listings to Group" advanced setting on the Profile and point it to an empty group.

NOTE: In 3.1 for Drupal this has been made much more configurable (with separate permissions for profile create, profile edit and profile listings). Alas this is not yet available in Joomla.
Protect your investment in CiviCRM by  becoming a Member!

SarahG (FountainTribe)

  • Ask me questions
  • ****
  • Posts: 782
  • Karma: 29
  • CiviCRM version: 4.4.7
  • CMS version: Drupal 6, Drupal 7
  • MySQL version: 5.5
  • PHP version: 5.3
Re: Security issue with profiles
November 14, 2009, 07:35:16 am
Thanks, changing the profile settings to use an empty group worked.
Did I help you? Please donate to the Civi-Make-It-Happen campaign  CiviCRM for mobile devices! 

alexmglover

  • Guest
Re: Security issue with profiles
December 18, 2009, 09:34:34 am
Is changing the tpl file advised?  When you upgrade, the files are overwritten.  Is there a way to avoid that if this method is the way to get rid of these links.

SarahG (FountainTribe)

  • Ask me questions
  • ****
  • Posts: 782
  • Karma: 29
  • CiviCRM version: 4.4.7
  • CMS version: Drupal 6, Drupal 7
  • MySQL version: 5.5
  • PHP version: 5.3
Re: Security issue with profiles
December 18, 2009, 09:43:55 am
Template files are not overwritten during an upgrade, as long as you place them in a custom template folder.   To set up the custom folder, go into  "Administer -- Configure --Global Settings -- Directories."  Then provide  fill in "Custom Templates" as the absolute path where you keep your customized templates.

Did I help you? Please donate to the Civi-Make-It-Happen campaign  CiviCRM for mobile devices! 
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • Security issue with profiles

This forum was archived on 2017-11-26.