Personal Email Security Question

**dbjohnso86** · 2012-01-25, 12:43 PM

Is it normal that a user can see other users "Personal Mail Configurations" and either edit them and or delete them. It appears that all users can see all other users Email configs and delete them even though these users are not admins.

**Chris_C** · 2012-01-25, 10:06 PM

You're right - When you go into Emails / Settings / Mail Accounts, and hover over the "Type (i)" info icon, the popup info box says "Personal: Email account accessible by you. Only you can manage and import emails from this account."

So it SHOULD be visible/editable only by the individual user and the admin.

On your Sugar instance - does it list other users' Personal Email Accounts there, and lets you edit the settings ?

What version are you running?
On what hosting platform - on-premise or hosted ?
Hosted where?

**dbjohnso86** · 2012-01-26, 01:11 PM

The working platform is Windows 2008 R2 running SCE 6.2.3 (Build 6658)
however after seeing this I built a Linux(Centos 6) back end with SCE 6.2.3 and noticed the same ?issue?
So I then re-built a 2nd Linux box and went with 6.3.1 this time and had the same issue...

If I go Emails / Settings / Mail Accounts only the account you would expect to see is shown however if for example another persons Email folder is visible in the "Last Viewed" section at which point if I click on their folder I can then "Edit" it or "Delete" their email confi.

Also if I get to an action where the "All Mail Accounts" icon is visible
I can then show a listing of ALL personal emails (in the list that then appears they all show as "personal" as the type and not Group.... At that point I can then select any or all of them and delete them all... This is true for all accounts...

This is with installing sugar from scratch and populating with demo data OR with using a clean install with no demo data or accounts and just creating (2) or more employee accounts from scratch...

Originally Posted by Chris_C

You're right - When you go into Emails / Settings / Mail Accounts, and hover over the "Type (i)" info icon, the popup info box says "Personal: Email account accessible by you. Only you can manage and import emails from this account."

So it SHOULD be visible/editable only by the individual user and the admin.

On your Sugar instance - does it list other users' Personal Email Accounts there, and lets you edit the settings ?

What version are you running?
On what hosting platform - on-premise or hosted ?
Hosted where?

**Chris_C** · 2012-01-27, 07:19 PM

dbjohnso86,

You definitely found a bug. Good job.

You should copy paste all the detail above, into the Sugar bug system, so the devs can fix it:

SugarCRM Bug Tracker | Open Source Business & Social CRM - SugarCRM