fat_free_crm icon indicating copy to clipboard operation
fat_free_crm copied to clipboard

Published 20 hours ago verified publisher icon fatfreecrm

Security: Activity (Homepage) and Recent Items (Sidebar) ignore permissions

Open yeah opened this issue 10 years ago • 5 comments

Items which are marked as private are shown in Activity and Recent Items even to users who are not admin.

yeah avatar Oct 30 '14 10:10 yeah

Thanks for reporting, we should address this. As a workaround, you can use the my scope to view only things that the current user is allowed to see. For example:

Account.my

steveyken avatar Nov 04 '14 14:11 steveyken

Having looked at this a bit further, I can't see private records in "Recent Items" and the code seems to support filtering out items you're not allowed to see. (See config/paper_trail.rb#recent_for_user)

For the dashboard activity screen, the only activities for private items I can see are 'Person X created a comment on Thing Y' but if you click on "Thing Y", you're not allowed to see it. This should still be fixed so that it is not showing but other than that, I can't find other cases where the permissions are too lax.

Can you describe the circumstances where you can reproduce the original problem in more detail?

Thanks.

steveyken avatar Jan 05 '15 01:01 steveyken

For the dashboard activity screen, the only activities for private items I can see are 'Person X created a comment on Thing Y' but if you click on "Thing Y", you're not allowed to see it. This should still be fixed so that it is not showing but other than that, I can't find other cases where the permissions are too lax.

That's what i was referring to. Not a huge problem, but still a problem, if names of companies, contacts, etc. are revealed that others aren't allowed to see.=

yeah avatar Jan 05 '15 01:01 yeah

Ok great, makes sense now.

Interestingly, as a small workaround for the moment, you can set

Setting.comments_visible_on_dashboard = false

in config/settings.yml

That doesn't fix the underlying issue though, just gets around it for now.

On Mon, Jan 5, 2015 at 9:50 AM, Jan Schulz-Hofen [email protected] wrote:

For the dashboard activity screen, the only activities for private items I can see are 'Person X created a comment on Thing Y' but if you click on "Thing Y", you're not allowed to see it. This should still be fixed so that it is not showing but other than that, I can't find other cases where the permissions are too lax.

That's what i was referring to. Not a huge problem, but still a problem, if names of companies, contacts, etc. are revealed that others aren't allowed to see.=

— Reply to this email directly or view it on GitHub https://github.com/fatfreecrm/fat_free_crm/issues/346#issuecomment-68659977 .

steveyken avatar Jan 05 '15 02:01 steveyken

Thanks for the hint, I had worked around it by commenting the sections out in the respective views...

yeah avatar Jan 05 '15 02:01 yeah