CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • Profile Bug - All contact details showing in profile when remove directory id
Pages: [1]

Author Topic: Profile Bug - All contact details showing in profile when remove directory id  (Read 2765 times)

robbiemc

  • I post occasionally
  • **
  • Posts: 66
  • Karma: 0
  • CiviCRM version: 4.5.0
  • CMS version: Drupal 7.22
  • MySQL version: 5.5.37
  • PHP version: 5.3.28
Profile Bug - All contact details showing in profile when remove directory id
July 24, 2013, 06:30:10 am
Hi

A potential issue has been raised by one of our members. When viewing a members contacts details on an online profile if you delete the profile number from the end of the URL you are then able to view all member details.

Ie. if I remove the profile number 20 from the following link which shows a Civi Profile

http://www.ereps.eu.com/index.php?q=civicrm/profile/view&reset=1&id=9456&gid=20

you get the following link which shows multiple views of all member details probably based on the number of groups they belong to;

http://www.ereps.eu.com/index.php?q=civicrm/profile/view&reset=1&id=9456&gid=

although it does say Permission Denied You do not have permission to view this contact record. Contact the site administrator if you need assistance

Is this a permissions thing or a bug in the system. If permissions can somebody please advise what I need to do to restrict this.

Many thanks

Robbie
« Last Edit: July 24, 2013, 06:37:06 am by robbiemc »

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Profile Bug - All contact details showing in profile when remove directory id
July 24, 2013, 01:40:27 pm

This is a bug (IMO). Can u investigate and submit a patch please. I think the behavior should be to not display anything if the 'gid' argument is empty / null

i assume that the fields being shown are public

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

robbiemc

  • I post occasionally
  • **
  • Posts: 66
  • Karma: 0
  • CiviCRM version: 4.5.0
  • CMS version: Drupal 7.22
  • MySQL version: 5.5.37
  • PHP version: 5.3.28
Re: Profile Bug - All contact details showing in profile when remove directory id
July 25, 2013, 03:30:27 am
Hi Lobo

Unfortunately I am not a developer so submitting a patch is a wee bit beyond me.

The url minus the GID seems to show all created profiles populating fields where the viewed contact has data...I have attached some screenshots for reference. This of course is a bit of a nightmare as we don't wish to be in a position where personal data can be viewed. Good job we don't store bank details.

How do we proceed to get this bug addressed?

Robbie
« Last Edit: July 25, 2013, 05:03:10 am by robbiemc »

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Profile Bug - All contact details showing in profile when remove directory id
July 25, 2013, 07:28:08 am

if you have the funds please consider hiring a developer to investigate and submit a patch for this

also ensure that you can reproduce this issue on the latest version of civicrm

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

buyhawaii

  • I’m new here
  • *
  • Posts: 2
  • Karma: 0
    • The Scandinavian Club of Hawaii
  • CiviCRM version: 4.1
  • CMS version: Drupal 7.24
  • MySQL version: 5.0.89
  • PHP version: 5.2.12
Re: Profile Bug - All contact details showing in profile when remove directory id
December 04, 2013, 09:01:22 am
To remove the: "Permission Denied You do not have permission to view this contact record. Contact the site administrator if you need assistance" in drupal; even though you provided proper permissions.  A simple click on "Rebuild permissions" from the Status report page and flushed all caches, removed it for me.
Mahalo!
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Profiles (Moderator: Dave Greenberg) »
  • Profile Bug - All contact details showing in profile when remove directory id

This forum was archived on 2017-11-26.