CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • Contacts exposed despite ACL via activity/mailing autofill.
Pages: [1]

Author Topic: Contacts exposed despite ACL via activity/mailing autofill.  (Read 1420 times)

vanalive

  • I post occasionally
  • **
  • Posts: 35
  • Karma: 1
Contacts exposed despite ACL via activity/mailing autofill.
November 19, 2009, 06:45:09 pm
I may have a misconfiguration error otherwise this is a security concern.

When granting CiviCRM access to an ACL user, they get default access to two menu items.

New Activity
New Email

While they cannot search the database for contacts through the main search, when I go to either of these settings, the autofill queries the whole database, and for instance, if I type in "d", it starts showing them all users and emails (as I have alot of email only contacts) that contain that letter.  While the user records are secure, even exposing emails or who is in our database is of a concern.  (We are using ACL with Domain to host more than one group.)

Again, maybe I have turned on a wrong setting.  But everything else works okay.

PS. moved from the wrong forum..

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Contacts exposed despite ACL via activity/mailing autofill.
November 19, 2009, 08:12:48 pm

this is fixed in v3.1 which is in alpha2

woudl be great if u can download and test this version and ensure it meets your security requirements

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

vanalive

  • I post occasionally
  • **
  • Posts: 35
  • Karma: 1
Re: Contacts exposed despite ACL via activity/mailing autofill.
November 19, 2009, 08:55:15 pm
Thanks DL! 

For now I've deleted those items from the civicrm menu and will keep my access permissions limited.  We've got about 20K contacts, so I'll check in the roadmap for 3.1 and try to check on this or beta when I've got a chance to set up my sandbox.

Otherwise 3.0s been a charm. 

- Dan
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • Contacts exposed despite ACL via activity/mailing autofill.

This forum was archived on 2017-11-26.