[Isis-users] ABCD allows delete display format file by user with only read-only access

Piet De Keyser piet.dekeyser at ucll.be
Mon Sep 18 16:00:15 CEST 2017 

Dear Fred,

I don’t understand why you should use ABCD in read only mode. It seems to me that people with only read access should use IAH.

Piet de Keyser
UC Leuven-Limburg
Belgium

Van: isis-users [mailto:isis-users-bounces+piet.dekeyser=ucll.be at iccisis.org] Namens fred train
Verzonden: maandag 18 september 2017 15:18
Aan: Isis Comunidad <isis-users at iccisis.org>
Onderwerp: [Isis-users] ABCD allows delete display format file by user with only read-only access

Hello team
We working with ABCD 1.4 and are in the process of defining new profiles for our installation.
We have defined a "read-only" role. In order to give this role an option to print/report we have marked option "Print Records".

Unfortunately this option shows a screen with links to Edit/Delete a selected PFT file.
See attached screenshot.
And the "Delete" button is functional: it deletes the file!!
The "Edit"button is shown but has no effect. Not dangerous, only not nice.

I have tracked this down to code in .../www/htdocs/central/dbadmin/pft.php, line 741.


echo "<a href=javascript:LeerArchivo(\"\")>".$msgstr["edit"]."</a> | <a href=javascript:EliminarFormato()>".$msgstr["delete"]."</a>";

Should be controlled by permissions like:

if (isset($_SESSION["permiso"]["CENTRAL_ALL"]) or
                isset($_SESSION["permiso"]["CENTRAL_EDPFT"]) or
                isset($_SESSION["permiso"][$arrHttp["base"]."_CENTRAL_ALL"]) or
                isset($_SESSION["permiso"][$arrHttp["base"]."_CENTRAL_EDPFT"])){

         echo "<a href=javascript:LeerArchivo(\"\")>".$msgstr["edit"]."</a> | <a href=javascript:EliminarFormato()>".$msgstr["delete"]."</a>";

            }
My request is to add this or similar code to new versions of ABCD in order to prevent that read-only users can modify anything in the database definition files.
Comments are also welcome.

Thanks and regards

Fred Hommersom


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.iccisis.org/pipermail/isis-users/attachments/20170918/82c6e25a/attachment.html>

More information about the isis-users mailing list