We're updating the issue view to help you get more done. 

Spreadsheet view allows editing fields and records that the user does not have access to

Description

I've just done some experimenting with editable displays in 1.6 and 1.7, and even if users have been marked as not having access to the base record type (eg researcher role on the demo server at demo.collectiveaccess.org), they can edit records that they should not be able to. Is there a simple access check that can be made before updating the field at least, or at least a flag for 'can use editable view' for the role?

Environment

None

Activity

Show:
User known
October 18, 2016, 12:26 AM

This issue concerns type-based access control only?

Kehan Harman
October 18, 2016, 4:14 PM

I replicated it on your demo server which doesn't have type based access control. I created a user and put them in the researcher role, logged in as that user and managed to change simple attribute values and intrinsics. Pop-up fields were not editable. Will test again in a bit as I'm not sure what field level access control existed for researcher (they didn't have the action permissions for objects other than searching and browsing.

Kehan Harman
October 18, 2016, 8:15 PM

On testing in 1.6.1 I now cannot replicate it there, but I can still replicate this in 1.7-dev (the demo server). I created a user with the 'researcher' role on demo.collectiveaccess.org. Additionally I updated the researcher role and turned field access to 'read only' for all record types, and still managed to change object titles. For example see: http://demo.collectiveaccess.org/find/SearchObjects/Index/search/lighthouse (presuming the database hasn't been reset).

User known
October 23, 2016, 12:36 AM
Edited

Fixes for 1.7 are in GitHub/develop. They work for me in my testing. Let me know how they work for you. Thanks.

Assignee

User known

Reporter

Kehan Harman

Labels

None

Components

Affects versions

Priority

Blocker
Configure