Security Release for Webform Integration

Publicat
2012-11-07 10:12
Written by
colemanw - member of the CiviCRM community and Core Team member - about the Core Team

If you are using CiviCRM Webform Integration with Drupal 7, there has been a security release to fix potential permissions problems - you should upgrade the module as soon as possible.

Details

One feature of Webform CiviCRM integration is that it allows you to expose contact data via webforms. Depending on what fields you have exposed in your form, this may include personal information such as birthdate, phone number, email address, etc. Proper permission settings are important to keep this information from prying eyes.
Each "existing contact" on a webform has a setting to enforce CiviCRM permissions -- this setting should rarely be disabled, and only done so by admins who know what they're doing. Unfortunately some circumstances may have led this setting to be erroniously disabled by the admin:

  • In version 3.0 - 3.1 of this module, "Enforce Permissions" was not on by default, and needed to be manually selected by the admin. This was fixed in 3.2.
  • In versions 3.0 - 3.2, the current user could not be autofilled for normal unprivledged users. This may have led some admins to disable the "Enforce Permissions" setting, a dangerous workaround.
  • In versions 3.0 - 3.3, autofilling a contact via the url with a checksum did not work for anonymous users unless the "Enforce Permissions" setting was disabled.

Version 3.4 includes an update script which will automatically set "Enforce Permissions" for all existing contacts to true. Once you have upgraded, you may wish to review your webforms and ensure that autofilling contacts works as expected, especially for anonymous users. In a few rare cases where you have established access control through some other means, disabling "Enforce Permissions" may be necessary and you will need to do so manually.

 

Filed under