Author Topic: civimail - Mailing List Subscription (Read 1857 times)

kdas · July 18, 2009, 08:31:08 pm

Hi All,

The default subscription to a mail group only requires email address. In order to get firstname, lastname, zip code along with the email we created a profile for newsletter subscription. Since the user will be anonymous, I gave the permission in drupal to anonymous users to access profile ('profile listings and forms'). Though enabaling this causes security risk for other profiles that we don't want any one to access.

For example for newsletter subscription the profile Id is 9 and url:
http://<xyz>/civicrm/profile/create?reset=1&gid=9

If someone changes the 'gid' in url to '1' he will have access to profile Id 1.

Is there any setting that could restrict people to use only 'gid' 9 in above example, or any better way to handle this?

-kdas

kdas · July 19, 2009, 09:02:12 am

Update:
Instead of giving access at drupal level to anonymous users to profiles, I created an ACL to give Edit permission to Everyone on this profile only. Seems to work. Playing with it little bit more to see if there are any other issues. Will let you know. Thanks anyway for reading this thread.

kdas · July 20, 2009, 08:31:53 pm

The profile approach that I mentioned may allow someone to abuse the system to add someone else email in the database. Is there any other approach where we can collect Firstname, Lastname apart form Email for Mailing list subscription?

kdas · May 28, 2010, 12:55:34 pm

It seems I tried above profile with Edit Profile permission to Everyone (that includes Anonymous) using civicrm 2.2 and the link worked for anonymous users. Today I tried the same using civicrm 3.1.3 and got the error. Tried a new profile from scratch and still got the same error even with ACL permission to Everyone. Is this a bug? I don't have old version of civicrm to try.

Sorry. A non-recoverable error has occurred.
The requested Profile (gid=19) is disabled OR it is not configured to be used for 'Profile' listings in its Settings OR there is no Profile with that ID OR you do not have permission to access this profile. Please contact the site administrator if you need assistance.

johns · June 15, 2010, 01:06:19 pm

I'm also concerned about this. Any luck?

Donald Lobo · June 15, 2010, 04:47:12 pm

3.1 has introduced finer permissions to profiles

thus u can grant create/edit permission for anonymous users but not a listing, this prevents problems of exposing listings for profiles for anon users

you can also use acl's to have fine grained permissions on a per profile basis

lobo

CiviCRM Community Forums (archive)

News:

Author Topic: civimail - Mailing List Subscription (Read 1857 times)

kdas

civimail - Mailing List Subscription

kdas

Re: civimail - Mailing List Subscription

kdas

Re: civimail - Mailing List Subscription

kdas

Re: civimail - Mailing List Subscription

johns

Re: civimail - Mailing List Subscription

Donald Lobo

Re: civimail - Mailing List Subscription