A Vulnerability security External users #13983
Comments
|
Creating an event may be something useful, even for an external user. It can be used to save something done or todo, or a remind for tracking reasons. However, i agree that feature to send email for external user may be disabled for external user... |
eldy
added
good-first-issue
|
Actually, it would also be interesting to restrict access to emails from the server for internal users. Not every user needs to be able to send emails from Dolibarr! For example, we use an external accountant, who we want to give access to the all invoices (this he needs to be an internal user, not an external user), but we don't want to give him access to sending emails in the name of the company. We don't want to give him access to sending emails from his own user, either! |
True, but I think for EVENT should be appeared if the event/agenda module allowed when admin gives permissions to the users / groups.. that's make sense to me. but looks like the event is stuck. |
|
And one more thing.. it would be greatly appreciated if possible to split the (add/edit) which we can allow the customers to create an orders/projects, or TICKET but customers can't edit (close or open) the previous orders or tickets!. |
dpriskorn
added
the
Priority - Security
|
This ticket is still open with no progression because it contains to many different topics (s with no chance to being processed by any body, so i close it in hope to have instead several smaller ticket (on for each minor change) to increase chance to have it processed by a contributor... |
Hello @eldy I hope you all are well,
The external users can sending an emails from their login dashboard, which must not allow to the external customers to send emails to themself or to anyone as they was able to show print page button or downloads PDF.
We acutely made permissions for list of groups to our clients and we gives only permissions for those modules only
(- Read & create customer orders,
• Read customer invoices,
• Read projects and tasks,
• Read third parties linked to user,
• See & Modify tickets )
notice the ticket module it doesn't even shows in the users end yet to users portal while we activated in Group permissions or even in user permissions.
The goal was only that clients can view their projects, invoices or making order, ticket for supporting from one place!
We found that the customers can and be able to send emails, to would behaving our/system email. and we tested with 10~12 Version, and we think the external users on the Dolibarr system shouldn’t have right to use or send emails by that buttons on any of modules.
I have had created issue in GitHub earlier 2018, but wasn’t solved yet.
However I have attached pictures from the user portal for more clarification.
Thank you for your attention to this matter,
The text was updated successfully, but these errors were encountered: