CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • ACL Group -> Security Issue?
Pages: [1]

Author Topic: ACL Group -> Security Issue?  (Read 1871 times)

yamba

  • Guest
ACL Group -> Security Issue?
February 02, 2008, 11:58:41 pm
Hi,

I would want to verify if there is a security issue or if my configuration is wrong (CiviCRM 1.9, Drupal)

- I use CiviCRM ACL to manage access to profiles and custom fields groups
- I create Drupal users, which are linked to CiviCRM contacts
- I add specific users/contacts into specific CiviCRM Groups in order to provide specific access (ACL)

How comes that any CiviCRM user who has access to the "Groups" tab is able to set ACL Groups? 

Right now, in my installation, any user is able to search for his CiviCRM contact and put himself in any ACL Group of his choice.

Did I miss a configuration?

Thanks!

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: ACL Group -> Security Issue?
February 04, 2008, 02:40:43 pm
Groups with "User and User Admin Only" visibility are excluded from the Contact Dashboard and Profiles. I had thought that we also excluded these groups from the Groups tab for users who didn't have "administer CiviCRM" permission. However, I just confirmed  (in 2.0 alpha) that this is not the case.

I think this is a bug - but I may also be "missing something" - so I'll do some further checking and post back here.
Protect your investment in CiviCRM by  becoming a Member!

yamba

  • Guest
Re: ACL Group -> Security Issue?
February 04, 2008, 05:00:14 pm
Thanks again for your help.  In the mean time, I used the Hook to add some code in order to block the group modification.

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: ACL Group -> Security Issue?
February 04, 2008, 05:57:08 pm
After more research and testing things out with 2.0 alpha code (under Drupal)...

The Groups tab from "view contact" and the Manage Groups listings do exclude non-permitted groups IF the logged in user is subject to ACL control of their access to  groups of contacts. This means:
 - their Drupal  role does NOT include "view all contacts"
 - they are a member of one or more ACL groups, which are assigned to ACL roles which explicitly give them view or edit permission on group(s) of contacts

You can see this in action on the sandbox (http://sandbox.civicrm.org) - by logging in as:
user = aclteset
password = demo

... and going to the Groups tab for Jane Acltest contact ( http://sandbox.civicrm.org/civicrm/contact/view?reset=1&cid=125 ). She can only add herself to the 2 groups that she's been given ACL access to - Newsletter Subscribers and Summer Program Volunteers.

The setup for this user is:
* They are a member of the "Volunteers ACL Group"
* That group is assigned to the "Volunteers" ACL Role
* That role is granted Edit rights on the two Mailing List groups listed above (Newsletters, Summer Volunteers)
* That user has just the basic "authenticated" Drupal role - which currently does NOT have the "view all contacts" permission. (My understanding is that this is the correct way to configure the Drupal role if you want to limit access to CiviCRM contact groups using ACLs. If you grant this user "view all contacts" via Drupal access control - then they indeed get to see everyone - which is not the case we're testing here.)

There are however 2 bugs in 2.0 that affect this scenario:
http://issues.civicrm.org/jira/browse/CRM-2619
http://issues.civicrm.org/jira/browse/CRM-2618
Protect your investment in CiviCRM by  becoming a Member!

yamba

  • Guest
Re: ACL Group -> Security Issue?
February 04, 2008, 07:38:38 pm
Thanks for the highlights!  I understood the config you described (and had a preview of 2.0  wow! ).

My problem with this config is that I have 140 groups (130 intelligent groups and 10 ACL groups) in my organization and I've just tested with Drupal/1.9: if I create an ACL with "All groups", the user assigned to this ACL can of course add users in ACL groups, even if he doesn't have the drupal accesses for "View All Contacts" or "Edit All Contacts".

I understand that my 140 groups situation is not a common situation and I assume that creating 140 ACL for each ACL Roles would slow down the application.  To avoid this, I'll block the Group modification with the Hook.php

Thanks
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • ACL Group -> Security Issue?

This forum was archived on 2017-11-26.