CiviCRM Community Forums (archive)

Hi there,

I'm new to CiviCRM, so please forgive me if I ask stupid questions

I just installed CiviCRM 3.1.4 on Drupal 6.14 and try to figure out what it can do for me. Regarding profiles, I observed the following:
(a) a fresh installation sets up several profiles to be used as "profile" (... well, I'm struggling with the wording... who would expect to use a "profile" not as a "profile"...)
(b) three of them (new household, new individual, new organization) are "reserved" - I assume that is the reason why I cannot edit any settings.
(c) I don't have to be logged in to be able to query data via URL editing: http://mydomain.tld/civicrm/profile/view?reset=1&id=<the_id_i_am_curious_about>&gid=1
(d) I also don't have to be logged in to be able to create new records: http://mydomain.tld/civicrm/profile/create?reset=1&gid=5 lets me create a new organization.

This worries me. However, maybe I didn't understand the concept. So I came up with some questions:
(1) is it really the case that profiles used as "profile" are an intended vulnerability (as pointed out here http://issues.civicrm.org/jira/browse/CRM-4131#action_31732)?
(2) is removing the usage as "profile" the (only) solution to this exposure?
(3) how could I edit the settings of the "reserved" profiles?
(4) is there any particular reason why I should have profiles at all - or could I just remove/deavtivate all of them for security reasons?
(5) I see no point in anonymous record creation. Who does? Or what did I miss to prevent that?

Thanks in advance for answers, comments & sympathy

Cheers,

Reinhard.

Hi,

Can you try generating the urls you describe on civicrm demo?

for this one:
http://drupal.demo.civicrm.org/civicrm/profile/view?reset=1&id=1

I don't see any security problem, and I don't see information about the user 1. You might have granted civicrm access to anonymous on your configuration?

X+