CiviCRM allows users to import contacts using CSV or SQL. Prior to 4.7.11 (or 4.6.21), the permission "import contacts" allowed users to import by any means -- either CSV or SQL. A user with this permission could use it to bypass ACL rules. Beginning with 4.7.11+ (or 4.6.21+), there is now a separate permission "import SQL datasource". If you want your users to be able to import contacts using SQL, you must now grant both permissions ("import contacts" and "import SQL datasource"). It is the recommendation that the permission should only be given to the most trust worthy users.
CiviCRM Versions prior to 4.7.11 or 4.6.21
CiviCRM Versions 4.7.11 or greater, or 4.6.21 or greater
Any ONE of the following should provide protection:
- Upgrade to CiviCRM 4.7.11 or greater, or CiviCRM 4.6.21 or greater.
- Revoke permission "import contacts" from any users you do not fully trust
- Backport https://github.com/civicrm/civicrm-core/pull/8922
Chris Burgess (Fuzion) for identifying the issue
Tim Otten (CiviCRM) for fixing the issue
- https://issues.civicrm.org/jira/browse/CRM-15925 (restricted access)