Document risk of exposing data to anonymous users via profiles
Created by: seancolsen
Migrated from https://issues.civicrm.org/jira/browse/CRM-18160
It is much too easy to grant permissions that inadvertently expose data.
Barring improvements to profiles and/or permissions (and even if they were improved) we should have clear documentation on the risk of doing so, and steps you can take to avoid it.
I should be discussed and/or cross referenced in
- http://docs.civicrm.org/user/en/stable/initial-set-up/permissions-and-access-control/ and
When working on this, it might be a good time to merge information from the following wiki pages into the book and delete the wiki page:
Once complete, it probably makes sense to update UI references to the documentation in appropriate pages like the profiles config pages.
Further recommendations from a comment in the original issue
On http://docs.civicrm.org/user/en/stable/initial-set-up/permissions-and-access-control/ in the "Permissions and Access Control" section, add some verbiage stating that ACLs restricting access to contacts can be overridden in a search profile that's configured as "Public Pages and Listings" in 4.6 or "Expose Publicly and for Listings" in 4.7.
On http://docs.civicrm.org/user/en/stable/organising-your-data/profiles/ in the "Adding fields and choosing field settings in Profiles" section, item 6 "Visibility," indicate that the "Public Pages and Listings" in 4.6 or "Expose Publicly and for Listings" settings can cause data otherwise restricted by ACLs or to logged-in users to be made public. This should be given extra emphasis and styled as a "black box" warning.
civicrm/templates/CRM/UF/Form/Field.hlp should be updated to reflect the possibility of exposure of data publicly.
http://docs.civicrm.org/user/en/stable/initial-set-up/security/ deals with physical and network security and, in my opinion, isn't relevant and does not need to be revised.