U4-11065 - Sensitive data is shown in listviews

Created by Jeffrey Schoemaker 06 Mar 2018, 09:45:43 Updated by Shannon Deminick 13 Mar 2018, 00:26:09

Tags: Prioritize

If you mark a field as sensitive (For example 'Firstname') and a user logs on who is not member of the group 'Sensitive' and this user browses to the member; Umbraco will show "This value is hidden. If you need access to view this value please contact your website administrator.": Hooray!

But if, this field is shown on the default List View of Members ("Developer" => "Data types" => "List view - Members" => "Columns displayed" => "Add firstname") it will be shown in the Listview for this user.

4 Attachments


Robert Copilau 12 Mar 2018, 11:24:43

PR: https://github.com/umbraco/Umbraco-CMS/pull/2514

How to test:

  • Create a member, add a new custom property and mark it as sensitive
  • Data Types -> List View- Members, add a new column for the custom property created
  • Login with a user that does not have access to sensitive data, and check that the column value for that property is not available ("This value is hidden.")
  • Then login with a user that has access to sensitive data and make sure the data is available

Shannon Deminick 13 Mar 2018, 00:25:07

Awesome work @robertcopilau ! I've commented on your PR with some required changes and as I mentioned i made them so you can have a look at what I did. You can see the my commit in revision: 89edfe578259b0de4673b842ad49ba4879794a23 including my commit notes.

I've tested all of the above and it works great!

Priority: Critical

Type: Bug

State: Fixed


Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.9.1, 7.9.2

Due in version: 7.9.3

Sprint: Sprint 80

Story Points: 1

Cycle: 8