Dolibarr: A Vulnerability security External users

Created on 27 May 2020  Â·  4Comments  Â·  Source: Dolibarr/dolibarr

Hello @eldy I hope you all are well,

The external users can sending an emails from their login dashboard, which must not allow to the external customers to send emails to themself or to anyone as they was able to show print page button or downloads PDF.

We acutely made permissions for list of groups to our clients and we gives only permissions for those modules only
(- Read & create customer orders,
• Read customer invoices,
• Read projects and tasks,
• Read third parties linked to user,
• See & Modify tickets )

notice the ticket module it doesn't even shows in the users end yet to users portal while we activated in Group permissions or even in user permissions.

The goal was only that clients can view their projects, invoices or making order, ticket for supporting from one place!

We found that the customers can and be able to send emails, to would behaving our/system email. and we tested with 10~12 Version, and we think the external users on the Dolibarr system shouldn’t have right to use or send emails by that buttons on any of modules.

I have had created issue in GitHub earlier 2018, but wasn’t solved yet.

However I have attached pictures from the user portal for more clarification.

Thank you for your attention to this matter,

image0
image1
image2
image3
image4
image5
image6
image7

Bug Security (CVE) good first issue hacktoberfest-accepted

Most helpful comment

Actually, it would also be interesting to restrict access to emails from the server for internal users. Not every user needs to be able to send emails from Dolibarr!

For example, we use an external accountant, who we want to give access to the all invoices (this he needs to be an internal user, not an external user), but we don't want to give him access to sending emails in the name of the company. We don't want to give him access to sending emails from his own user, either!

All 4 comments

Creating an event may be something useful, even for an external user. It can be used to save something done or todo, or a remind for tracking reasons.

However, i agree that feature to send email for external user may be disabled for external user...

Actually, it would also be interesting to restrict access to emails from the server for internal users. Not every user needs to be able to send emails from Dolibarr!

For example, we use an external accountant, who we want to give access to the all invoices (this he needs to be an internal user, not an external user), but we don't want to give him access to sending emails in the name of the company. We don't want to give him access to sending emails from his own user, either!

Creating an event may be something useful, even for an external user. It also so same something done, a remind for tracking reasons.

However, i agree that feature to send email for external user may be disabled for external user...
@eldy

True, but I think for EVENT should be appeared if the event/agenda module allowed when admin gives permissions to the users / groups.. that's make sense to me. but looks like the event is stuck.

And one more thing.. it would be greatly appreciated if possible to split the (add/edit)
for users permissions,

which we can allow the customers to create an orders/projects, or TICKET but customers can't edit (close or open) the previous orders or tickets!.

Was this page helpful?
0 / 5 - 0 ratings