Bug (approved)

Guest shouldn't have rights to delete or modify

Summary

approved
Oct 27, 2006
100%
Oct 27, 2006 / madlyr
Aug 5, 2009 / rafael.dalpra
pixtur
 

Attached files

No files uploaded
 
I see, that somone logged as guest deleted tasks:


and modified a lot of tasks - see History.

I think, this person shouldn't have for security reason rights to delete or modufy existing tasks/items.
Only to add new items.

Sooner or later somebody could destroy a lot of tasks...

12 Comments

guest:I restored some deleted tasks

12 years ago -

logged as guest - I can restoe them.
There was 2 additional tasks deleted by guest.
madlyr

madlyr:Tom, please adjust rights for guest, sb is playing here

12 years ago

I restored some new deleted tasks...

pixtur:reduced the rights...

12 years ago

Sorry for this. I am just busy with a new client and cannot check mails or streber during the day. Also I am currently not online at home... Probably not the best timing when releasing major upgrades ;-)

I reduced the rights of the guest account drastically ;-)

tom

madlyr:Reply to reduced the rights... - still guest can delete task

12 years ago

TOm, guest still can do with task anything.

madlyr:Tom, chceck if guest can delete task

12 years ago

I restored task deleted by guest at 31-10-2006.

madlyr:guest should have rights to add but not to modify or delete comments and tasks

12 years ago (2. update 12 years ago)

As guest it's a 'multiperson' so it's a risk to loose somebodys text written in comment or change of existing tasks, bug.

Guest should have access to add bug's/tasks and comments to tasks but shouldn't have rights to modify or delete tasks/bugs or comments.

madlyr:In comment view there are Page function Edit Delete

12 years ago

Login as guest and see: http://streber.pixtur.de/2617 - in comment view still visible Page functions Edit and Delete. I see that the rights to perform these funtions are insufficient now, but it's better not to show these functions at all.

pixtur:I will invest some time in figuring out a good right setup

12 years ago

I know this still needs some tuning.

guest:tasks created by guest are editable and deletable by guest

12 years ago -

still too much rights for guests...

guest:comments created by guests are editable and deletable by guest too...

12 years ago -

yeah, it was me madlyr as guest... ;-)

pixtur:ok.. reduced it further

12 years ago


pixtur:done?

11 years ago