[Isis-users] ABCD allows delete display format file by user with only read-only access

Piet De Keyser piet.dekeyser at ucll.be
Mon Sep 18 16:19:01 CEST 2017 

Fred,

It all depends on the user profiles: one of the options there is:

Create/edit/save display formats

You can disable this option for a certain profile.

Piet



Van: fred train [mailto:fred_train at xs4all.nl]
Verzonden: maandag 18 september 2017 16:09
Aan: Piet De Keyser <piet.dekeyser at ucll.be>; Isis Comunidad <isis-users at iccisis.org>
Onderwerp: Re: [Isis-users] ABCD allows delete display format file by user with only read-only access

Hello Piet
Thanks for this tip (this is worth investigating).
However: The problem is also present for other roles.
Example: we have a role that is allowed to edit single records and to print/report. This role is also capable of deleting the selected PFT.
In fact: any role with print/report capabilities can delete PFT's.
And that remains an undesired situation, so my request to add below (or similar) code remains active.
Thanks & Regards
Fred
Op 18-9-2017 om 16:00 schreef Piet De Keyser:
Dear Fred,

I don’t understand why you should use ABCD in read only mode. It seems to me that people with only read access should use IAH.

Piet de Keyser
UC Leuven-Limburg
Belgium

Van: isis-users [mailto:isis-users-bounces+piet.dekeyser=ucll.be at iccisis.org] Namens fred train
Verzonden: maandag 18 september 2017 15:18
Aan: Isis Comunidad <isis-users at iccisis.org><mailto:isis-users at iccisis.org>
Onderwerp: [Isis-users] ABCD allows delete display format file by user with only read-only access

Hello team
We working with ABCD 1.4 and are in the process of defining new profiles for our installation.
We have defined a "read-only" role. In order to give this role an option to print/report we have marked option "Print Records".

Unfortunately this option shows a screen with links to Edit/Delete a selected PFT file.
See attached screenshot.
And the "Delete" button is functional: it deletes the file!!
The "Edit"button is shown but has no effect. Not dangerous, only not nice.

I have tracked this down to code in .../www/htdocs/central/dbadmin/pft.php, line 741.



echo "<a href=javascript:LeerArchivo(\"\")>".$msgstr["edit"]."</a> | <a href=javascript:EliminarFormato()>".$msgstr["delete"]."</a>";

Should be controlled by permissions like:

if (isset($_SESSION["permiso"]["CENTRAL_ALL"]) or
                isset($_SESSION["permiso"]["CENTRAL_EDPFT"]) or
                isset($_SESSION["permiso"][$arrHttp["base"]."_CENTRAL_ALL"]) or
                isset($_SESSION["permiso"][$arrHttp["base"]."_CENTRAL_EDPFT"])){

         echo "<a href=javascript:LeerArchivo(\"\")>".$msgstr["edit"]."</a> | <a href=javascript:EliminarFormato()>".$msgstr["delete"]."</a>";

            }
My request is to add this or similar code to new versions of ABCD in order to prevent that read-only users can modify anything in the database definition files.
Comments are also welcome.

Thanks and regards

Fred Hommersom




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.iccisis.org/pipermail/isis-users/attachments/20170918/1434fe33/attachment.html>

More information about the isis-users mailing list