I have configured Security Groups and Team Hierarchy. Any Common user can see Other Users Stream which is highly sensitive information. Although the user has been restricted on other team/users records, yet they see their Activity stream on the dashboard. Does the activity stream ignores security Groups restrictions? how can i limit the stream so that the teams can only see their activity and not anyone else outside of the team/hierarchy
I am quite sure that the Dashlet restricts the records shown, as you can see by a similar bug here:
So records are hidden, but the bug is that a blank line shows.
Which version are you running? We might have to check your specific configuration since these things can be very depedent on details.
Meanwhile the author of that code has contributed a fix, you might want to try and see if it makes a difference also for your issue:
I am using SuiteCRM Version 7.10.11. The Security Suite Update seems to be quite critical to be added/updated into the Core CRM.
Waiting for its release to upgrade.
I’m optimistic that it will be in the next version, but I must clarify that, at this point, we are not treating this as a critical security issue, because the bug we knew about was not breaking any security concerns.
If it had, you wouldn’t be seeing this on Github, it would have been reported privately to firstname.lastname@example.org and we would be handling it secretly until release.
If you are convinced that you do have a case of broken security that is not just something peculiar to your system, I’d appreciate it if you initiate the report to that private email, this will help us make sure we are testing that critical case, and that it effectively goes into the release. Thanks.