CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • "Add xxx to Group" permissions
Pages: [1]

Author Topic: "Add xxx to Group" permissions  (Read 1365 times)

npforce

  • Guest
"Add xxx to Group" permissions
July 18, 2009, 11:33:16 am
Hi,

I'm confused about how permissions regarding groups work. I haven't found anything in the Drupal user permission management page that controls who can add someone to a group. I had an empty group A. It seems any authenticated user can click the "members" link for A in "Manage Groups", and then add anyone to group A.

Can anyone give me some clue how to control this?

Also, it seems a user without the "edit groups" permission can edit the search criteria of a smart group. Is there some configuration that I missed?

Thanks!

Kurund Jalmi

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4169
  • Karma: 128
    • CiviCRM
  • CiviCRM version: 4.x, future
  • CMS version: Drupal 7, Joomla 3.x
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: "Add xxx to Group" permissions
July 20, 2009, 02:31:11 am
This might help: http://wiki.civicrm.org/confluence/display/CRMDOC/Access+Control

Kurund
Found this reply helpful? Support CiviCRM

Ente

  • Guest
Security Hole: Add to Administrator Group. Re: "Add xxx to Group" permissions
September 14, 2009, 07:47:13 am
Even worse here (version 3.0 beta3): Every user with drupal "Use CiviCRM" permisson can add himself to the "Administrators" group and gets assigned admin permissions the next time he logs in. :o
I digged through those ACL options but also couldn't find anything, like the original poster.
Did I miss some option? Because this is a really serious security hole.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: "Add xxx to Group" permissions
September 14, 2009, 08:39:20 am

1. there is no "use civicrm" permission

2. ensure that non-admins dont have access to the groups that control the access control

3. ensure that acl groups do not have public visibility

you need to know what u r doing when dealing with ACL's. So do handle with care. if you need help or clarification, ping us on IRC

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using Core CiviCRM Functions (Moderator: Yashodha Chaku) »
  • "Add xxx to Group" permissions

This forum was archived on 2017-11-26.