CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Discussion »
  • Extensions (Moderators: mathieu, totten, kasiawaka) »
  • Extensions and Security
Pages: [1]

Author Topic: Extensions and Security  (Read 632 times)

JohnFF

  • I post frequently
  • ***
  • Posts: 235
  • Karma: 6
  • CiviCRM version: 4.4.13
  • CMS version: Drupal 7.28
  • MySQL version: 5.5.31-1
  • PHP version: 5.3.27
Extensions and Security
August 19, 2013, 09:06:49 am
What are the security considerations for a CiviCRM extension?

I know that's like asking how long is a piece of string, but in terms of something that retrieves and displays user's data to admins. I don't want this to be visible to non-admins! I've tested it and I can't make it manifest without being logged in. But are there any settings I should double check?

If you like empowering charities in a free and open way, then you're going to love Civi.

Email Amender: https://civicrm.org/extensions/email-amender
UK Phone Validator: https://civicrm.org/extensions/uk-phone-number-validator
http://civifirst.com
https://twitter.com/civifirst

Erik Hommel

  • Forum Godess / God
  • I live on this forum
  • *****
  • Posts: 1773
  • Karma: 59
    • EE-atWork
  • CiviCRM version: all sorts
  • CMS version: Drupal
  • MySQL version: Ubuntu's latest LTS version
  • PHP version: Ubuntu's latest LTS version
Re: Extensions and Security
August 20, 2013, 02:09:03 am
Not that I am aware of. I could imagine there are possibly security issues with a specific extension, not so much with extensions as a concept?
Consultant/project manager at EEatWork and CiviCooP (http://www.civicoop.org/)

totten

  • Administrator
  • Ask me questions
  • *****
  • Posts: 695
  • Karma: 64
Re: Extensions and Security
August 20, 2013, 06:35:11 pm
Well, it depends on the details of the customization. As an example, let's say you've added a web page as part of core or that you've added a page using civix (eg using "civix generate:page" or "civix generate:form"). There are a few levels at which you can apply security checks to the page:

 * In the navigation of the web site, you only want to display links to authorized users. With CiviCRM's menu system (aka hook_civicrm_navigationMenu), you can specify that each menu item requires a certain coarse-grained permission (like "access CiviCRM", "view all contacts", or "administer CiviCRM"). This doesn't protected you against users who hand-craft URLs, but it is an important step.
 * When defining the web page, you create an XML file. The XML declares something like "requests for /civicrm/my/page will be handled by class CRM_Myextension_Page_Mypage and require permission 'administer CiviCRM'". If someone requests that page but lacks the permission, then an error will be displayed.
 * Within the logic of your particular page (eg CRM_Myextension_Page_Mypage), you can include your own security checks. CRM_Core_Permission::check() is one helpful tool, but you can be creative.

When deciding what permissions to require for a particular page, it may be easy to reuse an existing permission like "administer CiviCRM" or "access CiviCRM". However, if you plan to redistribute the extension and want to give administrators flexibility, then you can make up your own permissions.

See also: http://wiki.civicrm.org/confluence/display/CRMDOC/Permission+Reference

In these comments, I've assumed that you created a new page with "civix generate:page" or "civix generate:form". If you created a page or service using some other means (such as profile-forms, APIs, or Drupal Views), then we can discuss those.
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Discussion »
  • Extensions (Moderators: mathieu, totten, kasiawaka) »
  • Extensions and Security

This forum was archived on 2017-11-26.