CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • Security problem ?
Pages: [1]

Author Topic: Security problem ?  (Read 1209 times)

sinasquax

  • Guest
Security problem ?
November 17, 2009, 03:33:07 am
Hello, i have a BIG problem with civicrm and drupal :

- I have many contacts in civicrm which have not their user equivalent in drupal
- In drupal, a visitor can create an user but he must validate his account with the mail address
- In the user creation page of drupal, there is the name + address profile of civicrm
- If a visitor creates an account with an email address he doesn't have and if this email address correspond to a contact in civicrm, the informations put by visitor will replace informations in the civicrm contact corresponding to the email address before he has validated his email !!!
- So someone which knows emails addresses used in civicrm can alter the contact informations

Maybe i did a misconfiguration, i didn't take a look in the code but if someone can confirm this.

Thank you and sorry for my bad english

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Security problem ?
November 17, 2009, 09:20:40 am

you can work around this by:

a. do no expose a profile to drupal user registration

b. approve all user accounts, for accounts not approved delete the user account and civicrm contact

c. get the auth users to fill in the profile or expose it via My Account

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

sinasquax

  • Guest
Re: Security problem ?
November 17, 2009, 02:41:16 pm
Thank you for your answer but i can't use any of these solutions because of my needs.

Thank you.

sinasquax

  • Guest
Re: Security problem ?
November 18, 2009, 09:02:09 am
I found a solution to correct this problem :

1) On insert, don't call civicrm_register_data but save data in a new table
2) On login, check if user which is logged has data in the table and if yes, call civicrm_register_data with these data to insert/update the contact informations in civicrm and after remove data in table

With this patch, the contacts in civicrm are only added / updated when user is authentified (logged in drupal).

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Security problem ?
November 18, 2009, 10:15:18 am

that is a most excellent solution. kudos on being so creative :)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

sinasquax

  • Guest
Re: Security problem ?
November 18, 2009, 10:45:11 am
Thank you  :D

Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • Security problem ?

This forum was archived on 2017-11-26.