The legal case management software (LCM) is a client-server web-based application written in PHP 4.x. The information is stored in a MySQL or PostgreSQL database (and may be ported to other databases). LCM promotes software freedom and is distributed under the terms of the GNU General Public License.

Security

LCM adheres to strict coding standards, and aims to minimise the risks of SQL injections, global variable attacks, XSS, etc.

If you plan storing sensitive information in the system, we recommend that LCM is installed the local area network of the organisation, not on a server accessible from the Internet. An attacker could gain access to the database directly (bypassing LCM) using another software installed on the server, for example. Otherwise, make sure that there is a minimum of services installed on that server and install SSL certificates to restrict the access to the software.

To report a security issue, contact: legalcase-core@lists.sf.net (private list).

Security alerts are sent on the legalcase-news mailing-list. We strongly encourage administrators to subscribe to this list.

Access control

Each staff member has a personal account to access the system, for which specific access rights are granted on a case by case basis.

There are two basic valid access types: normal and administrator.

 “Administrator” access: gives the right to access any information in the system, no matter of the access rights. Administrators also have the right to access the site configuration panel, to customise fields, to generate reports and to import/export the database.

 “Normal” access: gives the right to access only specific cases who are either marked as “public” or cases on which the user is explicitely assigned. Once assigned, a user may have the right to consult (read), contribute (write) or administrate the case. By default, the administrator of a case is the user who has created it. Administrative rights allow the user to edit existing information of the case and to change the status or stage of the case.

There are two other user types, which do not provide access to the system: external and closed.

 Closed: is equivalent to deleting an existing user. The account will never be deleted (since existing information may depend on it, and it would otherwise break the integrity of the database). Instead, the access of the user is blocked.

 External: is available in order to create a user which does (and will never) have access to the system. It is used mostly by organisations who need to show in their reports that a specific user was assigned on a case.

Extending LCM

LCM is designed for the wide-range of requirements of our users from various countries, whose activities vary from legal offices (administrative or criminal law), advice centres and syndicate grief management.

The following elements may be customised:

 Custom fields: including drop-down menus in forms, and text-fields, this was previously known as “keywords” before LCM 0.7.2
 Custom validation functions: to validate contact addresses, phone numbers, e-mails and many other fields including the case title.
 Custom strings: to change a few labels of the software in a way which will be forward-compatible after an upgrade.
 Custom reports: to complement the basic report system, LCM provides an easy to use API to develop custom reports using PHP.

More information is available in: Customizing LCM.