CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • Security Issue: users with "edit contact" permiss. can add themselfs as admins
Pages: [1]

Author Topic: Security Issue: users with "edit contact" permiss. can add themselfs as admins  (Read 405 times)

calbasi

  • I post occasionally
  • **
  • Posts: 36
  • Karma: 0
    • calbasi.net
  • CiviCRM version: 4.5
  • CMS version: Drupal 7
  • MySQL version: 5.1
  • PHP version: 5.3
Security Issue: users with "edit contact" permiss. can add themselfs as admins
September 29, 2014, 04:33:54 am
Hi,
Users with "edit contact" drupal permission can add/remove users from groups.
Then, if you have some admin groups (to manage ACL stuff), any user with "edit contact" permission (which is not a very high level permission, because is needed for a lot of simple edition tasks) can add himself to administration groups, which is not desired.
Is there any way to avoid it?
Regards

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Security Issue: users with "edit contact" permiss. can add themselfs as admins
September 29, 2014, 05:05:44 am

edit all contacts is a fairly high level permission the way civicrm is currently designed

acl's typically mean that most users do not have "edit all contacts" and only a few folks do. You might want to review your permissioning structure

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

calbasi

  • I post occasionally
  • **
  • Posts: 36
  • Karma: 0
    • calbasi.net
  • CiviCRM version: 4.5
  • CMS version: Drupal 7
  • MySQL version: 5.1
  • PHP version: 5.3
Re: Security Issue: users with "edit contact" permiss. can add themselfs as admins
November 26, 2014, 05:20:25 am
Hi Donald,

OK, I've notice I can use ACL to let some CiviCRM roles edit users (all, or some groups). But I think the problem persists here... I'd want Editors are able to edit contacts (with Drupal or ACL I can achieve this), but I think they should not assign "control access" groups to users. Why? Because they, then, can assign Administrator or other high level groups to themselves or any other user...

I think a better workflow would be if users with "Edit users" permission, can NOT assign "control access" groups by default (without a specific permission).

What do you think about? 

Michael McAndrew

  • Forum Godess / God
  • I live on this forum
  • *****
  • Posts: 1274
  • Karma: 55
    • Third Sector Design
  • CiviCRM version: various
  • CMS version: Nearly always Drupal
  • MySQL version: 5.5
  • PHP version: 5.3
Re: Security Issue: users with "edit contact" permiss. can add themselfs as admins
December 01, 2014, 11:12:59 am
It sounds sensible to me - not sure how easy it would be to implement.  Are you able to put some resources towards it?
Service providers: Grow your business, build your reputation and support CiviCRM. Become a partner today

e_mason

  • I post occasionally
  • **
  • Posts: 65
  • Karma: 1
  • Eliot Mason
  • CiviCRM version: 4.05
  • CMS version: Drupal 7
  • MySQL version: 5.1xx
  • PHP version: 3.53
Re: Security Issue: users with "edit contact" permiss. can add themselfs as admins
December 01, 2014, 04:16:44 pm
Hitting the same limitation ... ACLs are great except for the fact that staff can add themselves to a group and thus gain any level of permission.  Limiting the ability of staff to edit contacts is a severe restriction.

I would add that being able to ACL group assignment & visibility would remedy this - both because the visibility and operability of groups would be permissioned.  I'd think this has some useful parent-chapter utility as well, reducing the number of visible groups.

The work-arounds I've imagined are putting staff into a contact sub-type and applying an ACL... it can be gotten around, but it can be opaque.  The more extreme version is to add a script to hide the high-level permission group (e.g. "Administrators")  from the drop-down group selectors.  Staff could delete themselves from the group, but not add themselves back in.

That last idea could probably be implemented as a hook as well?  That's probably a lot simpler than going full-permission on groups (since my clients are just figuring out ways to live with it and don't seem interested in sponsoring development).
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • Security Issue: users with "edit contact" permiss. can add themselfs as admins

This forum was archived on 2017-11-26.