CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • Should civicrm/menu/rebuild?reset=1 be tied to "administer CiviCRM" permission?
Pages: [1]

Author Topic: Should civicrm/menu/rebuild?reset=1 be tied to "administer CiviCRM" permission?  (Read 2012 times)

CiviTeacher.com

  • I live on this forum
  • *****
  • Posts: 1282
  • Karma: 118
    • CiviTeacher
  • CiviCRM version: 3.4 - 4.5
  • CMS version: Drupal 6&7, Wordpress
  • MySQL version: 5.1 - 5.5
  • PHP version: 5.2 - 5.4
Should civicrm/menu/rebuild?reset=1 be tied to "administer CiviCRM" permission?
August 27, 2011, 04:29:32 pm
The menu rebuild will only work if a user has 'administer CiviCRM' permission.   Perhaps this is to close some kind of security hole I am unaware of.  But if it is possible to open up the menu rebuild to "access CiviCRM" permission I suggest we should.

The reason I offer this is while recently changing the permissions structure of a 4.0.5 site, many users complained that CiviContribute was still showing up in their menu when they logged in.  Clearing cache in browser had no effect.  When I suggested they rebuild their menu using civicrm/menu/rebuild?reset=1  they could not because they lacked permissions to do so.   The menu rebuild civicrm/menu/rebuild?reset=1  was the solution, but I had to temporarily grant these users 'administer CiviCRM' permission, which was an undesirable but necessary tactic to solve the problem, and a security hole (albeit temporary) in and of itself.
Try CiviTeacher: the online video tutorial CiviCRM learning library.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Should civicrm/menu/rebuild?reset=1 be tied to "administer CiviCRM" permission?
August 28, 2011, 06:20:14 am

menu/rebuild is a pretty intensive operation and hence restricted to roles with the "administer civicrm" permission. We wanted something a bit narrower than "access civicrm"

not sure why u consider that a "security hole". if you had to grant someone that privilege temporarily, any reason why u did not do it?

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

JoeMurray

  • Administrator
  • Ask me questions
  • *****
  • Posts: 578
  • Karma: 24
    • JMA Consulting
  • CiviCRM version: 4.4 and 4.5 (as of Nov 2014)
  • CMS version: Drupal, WordPress, Joomla
  • MySQL version: MySQL 5.5, 5.6, MariaDB 10.0 (as of Nov 2014)
Re: Should civicrm/menu/rebuild?reset=1 be tied to "administer CiviCRM" permission?
August 30, 2011, 10:48:42 am
If it was necessary in the regular course of events to provide this privilege I would be concerned. Another tactic I might have tried that might have helped avoid giving them this privilege is to clear the sessions table. This effectively logs them out, and when they come back in they would get the appropriate permissions and thus appropriate menu.

Just a thought.
Co-author of Using CiviCRM https://www.packtpub.com/using-civicrm/book
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • Should civicrm/menu/rebuild?reset=1 be tied to "administer CiviCRM" permission?

This forum was archived on 2017-11-26.