Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
C
Core
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 996
    • Issues 996
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • Development
  • Core
  • Issues
  • #2332

Closed
Open
Created Jan 27, 2021 by darren.woods@darren.woods

Remove "Access all custom data" permission for Anonymous users.

Overview

As part of the default configuration set when installing Civi, the "Access all custom data" permission for "Anonymous" users is enabled within the CMS permissions list.

Screenshot_2021-01-27_115611

Current behaviour

By default, users are able to craft URLs and see all custom data fields exposed via Profiles without authenticating. If individual field permissions are set correctly within the Profile, then no actual data is visible, however malicious actors may use this information to probe the system further or gain meta data which could be useful, e.g. for social engineering.

Proposed behaviour

This permissions should not be enabled by default.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None