Sapiens.BI helps you produce effective reports with charts in a fast and easy way. It is a SugarCRM BI plug-in with powerful reporting capabilities, ease of use, elegant design, and a quick and easy setup. This Reporting Tool is easy to use, there is no need for technical knowledge or SQL. The Sapiens.BI tool comes with over 100 pre-built reports.

Free 30 day trial
Try it Now

By clicking you consent to share your profile with the developer

#2615 - Rights Issue.

Closed Bug? created by Sohaib Majeed 6 years ago

One security Alarming issue regarding reports. i have created report and added users module in it. One user has only right to view the report. He can add multiple fields from fields tab. And he also can add user hash from users table. I think user's module fields should be only personal info fields not all fields. **This is major security con of this plugin. ** please review this

  1. sapiens-bi-primary-contact member avatar

    6 years ago

    Hello Sair,

    This shouldn't be so. If users have permission 'Can View' (and do not have permission 'Can Edit') under 'Sharing & Scheduling tab, nothing would change for them, if they click button Preview, Save or Save as; even if they did change the fields, they can not see and can not Save those changes.

    The only exception is admin users, we do not get limited.

    We just re-tested the latest published version on this, maybe you have to check. But if we are mistaking, please let us know.

    Thank you!

    Best Regards, IT Sapiens Team

  2. sairasarwar member avatar

    Sohaib Majeed

    6 years ago

    but user's hash should not be add able from fields tab. There should be limited information which user can add from fields. what you say?

  3. sapiens-bi-primary-contact member avatar

    6 years ago

    admin user can control permissions to the report: if report is editable, then all fields of related modules can be added to the reports; if user has read only permissions to the report, ha can not add any of the fields.

    Best Regards, IT Sapiens Team

  4. sairasarwar member avatar

    Sohaib Majeed

    6 years ago

    I understood your point. But i am talking about a different point. Let's suppose

    i created a report which also have related users module and shared with one user. I want to allow this user to just change filters of report, for that's reason i allowed user to edit the report Now user can also change fields of report and see users hash and other things too. which i think should be restricted.

    I think you should secure this plugin by restricting fields of users module. i don't think so that anyone needs user hash field in report.


  5. sapiens-bi-primary-contact member avatar

    6 years ago

    Thank you for the feedback! In a PRO version we have added functionality which allows to give permission to certain filters for read-only report users.

    Best Regards, IT Sapiens Team

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
  • "We have been using it for about a month and it is by far the best available reporting tool for SugarCRM. It is worth spending the time to learn how to use it. "

    Read More Reviews