Author Topic: ACL and Group security issue confirmation and PR orientation  (Read 851 times)

Offline danielmart

  • I’m new here
  • *
  • Posts: 1
  • Karma: 0
ACL and Group security issue confirmation and PR orientation
« on: February 03, 2017, 02:02:07 am »
Hello,

I would like to confirm this statements regarding permissions, ACL and groups (Wordpress 4.7.1, civicrm 4.7.15)

1- Permission to edit contacts (ACL or general), allows user to assign contacts to ANY group
2- As 1 is true, user can add himself to another group and thus obtain its ACL related permissions

This is a serious issue for us as it hinders the flexible security management ACL provides. I would like to evaluate viability of a feature to solve this problem. I see two approaches:

1- A general permission (not ACL related, in wordpress related to wordpress user role) which would control assignment to control access groups (this will be enough for our organization)
2- As 1, combined with ACL permissions (p.e. denied general permission but allowed assignment to certain control access groups through ACL)

I would be capable to work in any of this approaches (1 in first phase, then 2) but I am not yet very familiar with civicrm code structure. Can you point out the possible problems and difficulties of implementation of these features? Is there any related isssue in Jira?

Thank you

Offline petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Re: ACL and Group security issue confirmation and PR orientation
« Reply #1 on: February 07, 2017, 09:19:42 pm »
hey daniel - recommend you head over to StackExchange - forum is mostly archive now.
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate