CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM (Moderator: Dave Greenberg) »
  • Question and Observation
Pages: [1]

Author Topic: Question and Observation  (Read 1477 times)

johng

  • Guest
Question and Observation
February 15, 2010, 10:35:45 am
I'm not sure where to post this so I figured I would post in the general section of the site. As background info using Civi (Both Versions 3.03 and 3.1) and Joomla 1.5.15. I have organizations setup as well as employees, and the employees are marked as able to edit the organizations.

This started out as a need for an individual who is an employee of an organization to be able to update their organization's data. The individual would use their Joomla login to log in to the frontend of the site. My first attempt was to create a profile for the organization's data. This went fine, but when attempting to use the profile as an "individual" civi does not allow it on the front end (says the profile is configured for organizations.)

I dug around a bit and got the impression the solution was to make the dashboard available on the frontend. I created a Joomla menu item for it and then the user was able to see the basic organization data (relationship is in place) and edit it. Great. I tinkered around with this a bit and realized as an individual I could change the contact ID in the URL and update any record! This seems like a pretty large security hole. Basically I was able to edit any record in the database with a minimum amount of effort.

My question I guess is what is the best practice for allowing an individual to update the organization they belong to's data (including custom data if it exists.) Since it is individuals who access a website this seems like it should be a very basic ability, however I have not yet found a good solution and the dashboard access seems extremely insecure. Thanks for any input!

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: Question and Observation
February 15, 2010, 04:12:19 pm
John - Allowing user to change contact ID in URL and edit an organization that they don't have permissioned relationship with is a bug which can and should be fixed. Please file an issue and we'll fix for 3.1.3.
Protect your investment in CiviCRM by  becoming a Member!

johng

  • Guest
Re: Question and Observation
February 16, 2010, 07:31:29 am
I opened a big report...

What is the standard procedure to allow an individual to edit organization data including custom data if there is any? Thanks!

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: Question and Observation
February 16, 2010, 09:42:01 am
John - Thx for posting the bug report. The Contact Dashboard is the only out of the box solution for individuals who don't have access to CiviCRM back end to edit 'their' orgs data. And this method doesn't (yet) support custom fields. Your options are:

- step up and sponsor (or contribute patch) to make this happen (we think it's about a 30 hr project)

- extend the existing 'related contact' form (or an individual profile form) to include the fields you need for their organization using hooks (and share your solution)

Either apporach would be a great contribution since this has come up fairly often lately.
Protect your investment in CiviCRM by  becoming a Member!

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: Question and Observation
February 16, 2010, 01:50:45 pm
We tend to create a profile for them to edit their employees profile with and then customise the dashboard so that the 'edit' link points to the profile record.

It may be possible to do this entirely in userdashboard.tpl but we have tended to use userdashboard.php to change the links. A hook would also do it.

There is a description of how to do this in the forum somewhere but I couldn't find it just now. I think Peter has the topic number inscribed in his brain so hopefully he'll add the link

Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: Question and Observation
February 16, 2010, 08:42:54 pm
Eileen - maybe you or Peter can add a recipe for this on the wiki - in the "Linking Profiles" section.
Protect your investment in CiviCRM by  becoming a Member!

petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Re: Question and Observation
February 16, 2010, 09:50:20 pm
I think Tim's solution is the one Eileen is referring to here - http://forum.civicrm.org/index.php/topic,5699.0.html
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate

johng

  • Guest
Re: Question and Observation
February 17, 2010, 12:29:11 pm
Sounds good, I am pretty comfortable with editing templates and working with the db so it shouldn't be a big deal. I will post anything I come up with. Now to find some time to work on it  ;D
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM (Moderator: Dave Greenberg) »
  • Question and Observation

This forum was archived on 2017-11-26.