CiviCRM Community Forums (archive)

Joomla 1.5.13, Civi 2.2.7. Joomla template rhuk (standard with only images changed)

Define a profile for searching and editing contacts with mixture of editable and view only fields. Some fields flagged as searchable, some as searchable and list selector.

Profile settings for Profile and Search Results, advanced settings limit listing to specific group, no redirect urls and "Include profile edit links in search results?" is checked

Define menu entry to display profile as CiviCRM Profile Search type and link to the profile correctly.

On front end, logged in with admin privileges, profile search works correctly but the listing only displays the 'view' link not the 'edit' link at the end of each line.

Oddly at the top the word "editLink:" is being output before the box around the CiviCRM output.
Page source looks like this...
<table class="nopad"><tr valign="top"><td>editLink: <p>
<div id="crm-container" lang="en" xml:lang="en">
<script type="text/javascript" src="/administrator/components/com_civicrm/civicrm/js/Common.js"></script>
...
Any idea what is going on. Has anyone got edit links working ok in Civi2.2.7 (they used to in 2.0.5 - I'm updating the site)
Is this a bug to report?

Many thanks - that'll be the one. Unfortunately the fisheye link isn't working (server down) - any idea when the next release will be or if it is easy to backport. Its a bit fundamental !

Thanks Yashoda.
Removing the line 'echo "editLink:..." does remove the spurious "editLink:" above the form, but the edit links have not appeared. Looks like I might have to tell them to wait a week, in the meantime perhaps there are some other changes needed?

If I remove the if( $editlink)  around the self::$_links(CRM..... ts('Edit') section then the Edit links are displayed
eg http://mysitedomain/index.php?option=com_civicrm&task=civicrm/profile/edit&reset=1&id=1207&gid=15 which fails telling me I don't have permission to edit this contact record. This would seem to be a separate problem and possibly be related to why $editlink is not being passed in as true to the &links() function.

I might be missing something more fundamental here - what determines which Joomla front end users can edit all contacts?

In v2.0.5 I recall that I made a hack to restrict access to profiles to members of certain groups, thus allowing me to hide editing profiles from non authorised members. It looks like it is now not possible for any front end user to edit (previously it was possible for all if you showed them an editing form).

In a standard install I would expect either everyone to have editing rights and be able to restrict by setting joomla permissions on the menu item that calls the profile - is this not the case?

Thanks Dave,
 
All I can say is 'good grief' - how long has this security hole been there? I see it was in 2.0.x

It is not just editing - it means if you have ANY view profile configured for listings then all of the records are visible to any casual visitor without being logged in.

This is true even in v2.2.7 - essentially you can not use Joomla to have any listing profile even for viewing. It doesn't matter if the profile is linked to a menu or not.

All you can do is mitigate by creating and deleting several thousand profiles so that you have some pretty unguessable gid numbers for list profiles - but even that would be discoverable with very little determination.

Suddenly I am deeply worried about the Joomla + CiviCRM combination. How can I be sure that there isn't some other undocumented query string which will allow a view profile to be run as a listing. Does the same problem not exist in Drupal?

In fact it gets worse - I've just discovered that a casual visitor can construct a url query string to access any details available in any profile without being logged in. It is not just profiles configured for listing that are affected. Ok so I would have to find a profile ID and a user ID, but since these by default run sequentially (auto increment index fields) once you've found an active profile and one user ID you can probably access the whole lot. It becomes trivial to write a script which will extract all the user details in your database which are available in any profile.

In effect this means that you can not (must not I would say) use profiles. Delete them all now.

If you are storing any kind of personal information then this is a MAJOR security issue - and if you are in the UK now that you are aware of it you are probably acting irresponsibly under the DPA if you do not immediately take your website off-line until it is fixed.

I feel this is so serious that the Civi team should issue immediate advice to all Joomla users to either take their sites down, or delete all profile definitions.

Please can we have a statement asap as to what the plan is to fix this - and should we post warnings elsewhere, or will that simply draw attention to the problem.

HEEEEELLLLLLPPP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

RogerCO

Double-posting my reply here for others who might be following:

Roger - We are looking into the problem and working on a solution. We should be able to post an update later today.

UPDATE: Initial replies posted here:
http://forum.civicrm.org/index.php/topic,9105.0.html