CiviCRM Community Forums (archive)

First the good news - Looks great & the functionality is well exposed - love it

Minor point - CiviCRM Dashboard link doesn't work

Major issue - In allowing the user access to the Admin side the demo user can change the whole site, change what articles are seen, what text is in the articles etc.. etc.. This may not be such a huge issue if it is not used that much and refreshed every 1/2 hour or so but it is a hackers dream and if you get a determined hacker they will render the demo unusable. This is why you never really see back end demos for Joomla.

Honestly I would say a set of screenshots for the backend would be a lot less trouble.

Regards,

Rob
 



 

1. what was the url for dashboard that did not work for you?

on http://joomla.demo.civicrm.org/ where it says Then check out the CiviCRM Dashboard where you'll find menus for various CRM tasks - that is the link that doesn't work.

3. We do think a demo is significanly better than a set of screenshots

Sure, I really don't like to rain on the parade, the demo is great but I think it probably needs a bit more control - The problem is that people can affect all the articles in Joomla but in Drupal they can just affect the database. Honestly someone could unpublish the whole Joomla site content in 2 minutes (this is certainly not possible in the Drupal Demo) or they could add Defamation, Libel and Slander - possible in the Drupal version (within the database) but in the Joomla version it could be the lead article on the front page!. Alternatively you could have porn etc...

Yes a demo is better but it needs controls - the standard Joomla backend demo requires a valid email and registration before you can use it.  If com_content and com_menus could be disabled for the demo user that may be enough.

I honestly hope that I am wrong and that this will demo will not be abused.

Hi,

First of all a disclaimer - I have spent a bit of time hacking the Joomla Core before but I am not an authority on the Joomla ACL. Please check this out with an expert.

Having said that I think the security issue here it is more about restricting what the manager role (which the demo user has) can access at the backend. Unfortunately to restrict the demo user from doing what they shouldn't needs a small bit of hacking around the Joomla 1.5 Core as far as I can see.

Authorisation through the Joomla 1.5 ACL is held in libraries/joomla/user/authorization.php - if you comment out

//$this->addACL( 'com_content', 'add', 'users', 'manager', 'content', 'all');

then you can add the following to administrator/components/com_content/admin.content  before the $controller = new ContentController(); line

//start of hack

$user = & JFactory::getUser();
if (!$user->authorize( 'com_content', 'add' )) {
   $mainframe->redirect( 'index.php', JText::_('ALERTNOTAUTH') );
}

//end of hack

That should stop the demo users from adding/editing articles - they will get 'You are not authorised to view this resource' while the real administrator will still be able to add/edit articles

Then probably need to do similar things with com_menus, com_section, com_frontpage & com_categories because of the unpublishing issue.