An access bypass was identified where if a user was permitted only the "View own contact" permission in the CMS, they were also able to edit their own contact. This bypass of permissions checking did not extend to other contacts in CiviCRM.
CiviCRM versions prior to 4.7.8 or 4.6.17
CiviCRM versions 4.7.8 or greater, or 4.6.17 or greater
- Upgrade to CiviCRM 4.7.8 or greater, or 4.6.17 or greater
- 4.7.x sites, apply patches from https://github.com/civicrm/civicrm-core/pull/8305
- 4.6.x sites, apply patches from https://github.com/civicrm/civicrm-core/pull/8340
Gemma Potaka and Peter Davis of Fuzion NZ for reporting the issue.
Jitendra Purohit, Peter Davis and Monish Deb for collaborating on the testing and fix.
- http://civicrm.stackexchange.com/questions/10422/should-civicrm-view-my-contact-permission-result-in-user-being-able-to-edit-t
- https://issues.civicrm.org/jira/browse/CRM-18239