[Vtigercrm-commits] [Vtiger development] #8605: Users can delete opportunity records via the calendar module when they don't have permission
Vtiger development
vtiger-tickets at trac.vtiger.com
Tue Jul 21 13:38:51 GMT 2015
#8605: Users can delete opportunity records via the calendar module when they
don't have permission
-------------------------+-------------------------------------------------
Reporter: markcox | Owner: developer
Type: defect | Status: new
Priority: major | Milestone: Unassigned
Component: vtigercrm | Version: 6.3.0
Severity: High | Keywords: Opportunity, Delete, Profile,
| Permission
-------------------------+-------------------------------------------------
Users are able to delete opportunity records via the calendar even when
their profile is configured so that they cannot delete opportunity
records.
I have replicated this bug in your demo.
To replicate this bug-:
1. Configure a profile so that 'Delete' is unchecked for Opportunities.
2. Configure a user to use that profile
3. Login as that user.
4. Create an opportunity.
5. Go to the Calendar module. Hover cursor over the opportunity entry.
6. Click the trash icon
The opportunity record is then deleted when this should NOT be possible!
Note, that I've tested this in vTiger on-demand and the issue does not
occur. It returns permission denied.
--
Ticket URL: <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/8605>
Vtiger development <http://trac.vtiger.com/>
Vtiger CRM
More information about the vtigercrm-commits
mailing list