[Vtigercrm-developers] Dashboards/Widgets and Security...

Siam Translations LLP info at siam-translations.com
Fri Apr 4 10:43:01 GMT 2014


Noticed the same. Exposing unwanted information should be understood as 
security hole and
needs prioritized attention.


Andrew



On 04-04-2014 3:18 PM, Alan Lord wrote:
> Here's a use-case for VT6 that isn't really covered by the existing 
> design of the Dashboard and other widgets from what I can tell.
>
> We recently implemented VT6 for a customer and they are pretty happy 
> with it. They sell hardware and services via a fairly small network of 
> dealers.
>
> They give each dealer a single login to vtiger with a fairly 
> restrictive profile so they can basically just manage their Leads.
>
> The issue comes with the Dashboard, esp. the History Widget, (and 
> probably the Activity [modTracker] widget on the summary page too but 
> I haven't checked that one). When they first tested logging as a 
> Dealer they were limited to seeing their own Lead records which is 
> fine and expected. But the Dashboard History Widget shows *all* 
> activities. This could, for example, show that a Lead had been 
> assigned to a different Dealer in the same country, or perhaps a 
> derogatory comment regarding a Dealer/Customer).
>
> Comments/Suggestions?
>
> Cheers
>
> Al
>
> _______________________________________________
> http://www.vtiger.com/



More information about the vtigercrm-developers mailing list