CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • D7 Profile perms, separate edit and view permission, edit CRM_Core_Permission
Pages: [1]

Author Topic: D7 Profile perms, separate edit and view permission, edit CRM_Core_Permission  (Read 741 times)

britebyte

  • I post occasionally
  • **
  • Posts: 70
  • Karma: 2
  • CiviCRM version: Several 3.4+, 4.1+
  • CMS version: Drupal 6, Drupal7
  • MySQL version: Several 5.1+
  • PHP version: Several 5.2+
D7 Profile perms, separate edit and view permission, edit CRM_Core_Permission
September 19, 2012, 01:11:53 pm
I have been investigating profile permissions and how to provide sign up forms for anonymous users while restrict the "Back to listing" link and the ability of malicious types to manipulate the URL and get access to our user data.
I found an almost perfect solution thanks to this post: http://forum.civicrm.org/index.php/topic,18095.msg75051.html#msg75051

If you take away the "CiviCRM: profile listings and forms" and "CiviCRM: profile listings" permissions from the anonymous user and give only "CiviCRM: profile create", "CiviCRM: profile edit", and "CiviCRM: profile view" then the anonymous  user doesn't see the link and does get an access denied if they try to get to the listing page via direct URL entry - so far so good...

But if the anonymous user has both profile create and view they can manipulate the id in the profile/view URL to view any user's details (profile fields only) one by one:
http://oursite.com/civicrm/profile/view?gid=11&reset=1&id=3066 << increment this id one by one

Next try: Take away "CiviCRM: profile view", leave only edit in case we want to use the profile in edit mode by sending a checksum in a link. Also put a redirect URL on the profile so that we don't get an error after submission. However, there is still a problem.
Even if you remove the "CiviCRM: profile view" permission from the anonymous  user then they can still view! The permission check happens in CRM_Core_Permission:
Code: [Select]
  public static function ufGroup($type = CRM_Core_Permission::VIEW) {
    $ufGroups = CRM_Core_PseudoConstant::ufGroup();

    $allGroups = array_keys($ufGroups);

    // check if user has all powerful permission
    if (self::check('profile listings and forms')) {
      return $allGroups;
    }

    switch ($type) {
      case CRM_Core_Permission::VIEW:
        if (self::check('profile view') ||
          self::check('profile edit')
        ) {
          return $allGroups;
        }
        break;
Clearly taking away "CiviCRM: profile view" and leaving edit is not possible by default.

I am experimenting with changing the if statement to if (self::check('profile view')) { and so far everything is working with no ill effects and anonymous cannot manipulate the URL. (They just cannot see their own details in VIEW mode either.)

Can anyone see a problem with making this change?
« Last Edit: September 19, 2012, 01:27:14 pm by britebyte »
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • D7 Profile perms, separate edit and view permission, edit CRM_Core_Permission

This forum was archived on 2017-11-26.