CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Drupal Modules (Moderator: Donald Lobo) »
  • Other profiles viewable by anonymous users = Solved
Pages: [1]

Author Topic: Other profiles viewable by anonymous users = Solved  (Read 1236 times)

kennedy

  • I post occasionally
  • **
  • Posts: 119
  • Karma: 5
  • CiviCRM version: 4.5.5
  • CMS version: Drupal
  • PHP version: 5.3.10
Other profiles viewable by anonymous users = Solved
May 10, 2013, 03:55:10 am
I am using CiviCRM webform module and I want to pre-populate some of the fields if i send the link through CiviMail.
It is currently possible using the "Additional OptionsCreate Fieldsets, Confirm Subscriptions(tab)" on the web form .
Here it says  "To have this form auto-filled for anonymous users, enable the contact 1 "existing contact" field and send the following link from CiviMail: http://www.example.com/example/test?cid1={contact.contact_id}&{contact.checksum}"

This link will generate a link like this below, when sent through CiviMail:
http://example.com/example/test?cid1=4&cs=c6511e4d1e9b2cefff031f0455be88e0_13684567771_720

Problem:
If the receiver of the mail clicks on the link, it pre-populates his/her contact details but if he/she changes the value of cid1 shown below:
"cid1=5&cs=c6511e4d1e9b2cefff031f0455be88e0_13684567771_720"
It populates a different contacts details if present in the database.

Please, note that anonymous users have no permissions to access CiviCRM on the site.
 
Is this a bug or am i doing something wrong? Please for ideas!!




« Last Edit: May 12, 2013, 06:47:19 am by kennedy »

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: Other profiles viewable by anonymous users
May 10, 2013, 08:51:05 am
Can you confirm that
1) You are not logged in while testing this
2) The contact 1 "existsting contact" field settings have "enforce permissions" enabled
Try asking your question on the new CiviCRM help site.

kennedy

  • I post occasionally
  • **
  • Posts: 119
  • Karma: 5
  • CiviCRM version: 4.5.5
  • CMS version: Drupal
  • PHP version: 5.3.10
Re: Other profiles viewable by anonymous users
May 10, 2013, 09:38:34 am
Hi Coleman,
I can confirm that
1) I am NOT logged in while testing
2)  Enforce Permissions  for existing contact is enabled (checked)

And I have tested it on different networks, at home and at work and I am still able to call up the contacts details of other contacts by simply changing the cid1= value

thanks,

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: Other profiles viewable by anonymous users
May 10, 2013, 04:57:12 pm
And just for completeness, can you also see what happens if you remove the cs=xxxxx from the url?
Try asking your question on the new CiviCRM help site.

kennedy

  • I post occasionally
  • **
  • Posts: 119
  • Karma: 5
  • CiviCRM version: 4.5.5
  • CMS version: Drupal
  • PHP version: 5.3.10
Re: Other profiles viewable by anonymous users
May 11, 2013, 12:28:51 am
Removing cs=xxxxxxxxxxx does not change anything so long as ?cid=some value, i am able to call up contact details.
Anonymous users have no CiviCRM permissions except to view published content.
I am using Civicrm 4.3.1 & D7

Am i the only one having this problem??
« Last Edit: May 11, 2013, 02:13:16 am by kennedy »

kennedy

  • I post occasionally
  • **
  • Posts: 119
  • Karma: 5
  • CiviCRM version: 4.5.5
  • CMS version: Drupal
  • PHP version: 5.3.10
Re: Other profiles viewable by anonymous users = Solved
May 12, 2013, 06:55:26 am
The problem was an ACL, I had given a group of contacts "view permissions" to everyone in the Manage ACLs section.
I have so many groups in the system and they all have different functions so i thought giving the view permissions to everyone will just do the trick for all 10 groups since they all need this contact group and anonymous users do not have the "access civicrm" permissions. Now I have to give the same permission 10 times to this different groups. Solves the problem any way.

Thanks
« Last Edit: May 12, 2013, 07:11:47 am by kennedy »

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: Other profiles viewable by anonymous users = Solved
May 12, 2013, 01:31:54 pm
We solved this via private msg, thanks for following up here and marking the issue resolved.
Try asking your question on the new CiviCRM help site.
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Drupal Modules (Moderator: Donald Lobo) »
  • Other profiles viewable by anonymous users = Solved

This forum was archived on 2017-11-26.