Vulnerability when using portals

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • mwandelt
    Junior Member
    • Sep 2016
    • 23

    Vulnerability when using portals

    I have created a portal role with access to the "case" scope only. The permissions are: create - yes, read - own, edit - no, delete - no, stream - own. The portal dashboard has a "My Cases" dashlet.

    When I log into the portal as a user who has only that role mentioned above, the dashlet lists my own cases only, which is correct. But when I open a case and click on the "Cases" link (which is displayed in front of the case title in the headline) I will see a list of all cases from all users. I can even click on a list entry to open that case's detail page. While most of the case details are hidden, I can still see the case title, status, creation date and creation user, so overall I get a view of things which might be confidential.

    A similar, even more sensitive problem occurs when I navigate to my user page and click on the "Users" link in front of my user name in the headline. Then I will see a list of all system and portal users, including login names, real names and email addresses!

    Am I missing something? Is there a way to prevent portal users from accessing these sensitive pages?
  • yuri
    Member
    • Mar 2014
    • 8440

    #2
    Will be fixes very soon. Thanks.
    If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

    Comment

    • yuri
      Member
      • Mar 2014
      • 8440

      #3
      It's a recent bug we missed. Now is fixed. The new version is to be released today.

      If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

      Comment

      • mwandelt
        Junior Member
        • Sep 2016
        • 23

        #4
        Wow, that was a quick fix! Everything works fine now. Thanks!

        Comment

        Working...