[Isis-users] ABCD allows delete display format file by user with only read-only access
spinaker
spinaker at adinet.com.uy
Mon Sep 18 18:06:44 CEST 2017
Everybody
I checked with version 1.5.x and the problem detected by Fred is real, I
think his tip should be analyzed
thanks
regards
Ernesto Spinak
El 18/09/2017 a las 11:19, Piet De Keyser escribió:
>
> Fred,
>
> It all depends on the user profiles: one of the options there is:
>
> Create/edit/save display formats
>
> You can disable this option for a certain profile.
>
> Piet
>
> *Van:*fred train [mailto:fred_train at xs4all.nl]
> *Verzonden:* maandag 18 september 2017 16:09
> *Aan:* Piet De Keyser <piet.dekeyser at ucll.be>; Isis Comunidad
> <isis-users at iccisis.org>
> *Onderwerp:* Re: [Isis-users] ABCD allows delete display format file
> by user with only read-only access
>
> Hello Piet
> Thanks for this tip (this is worth investigating).
> However: The problem is also present for other roles.
> Example: we have a role that is allowed to edit single records and to
> print/report. This role is also capable of deleting the selected PFT.
> In fact: any role with print/report capabilities can delete PFT's.
> And that remains an undesired situation, so my request to add below
> (or similar) code remains active.
> Thanks & Regards
> Fred
>
> Op 18-9-2017 om 16:00 schreef Piet De Keyser:
>
> Dear Fred,
>
> I don’t understand why you should use ABCD in read only mode. It
> seems to me that people with only read access should use IAH.
>
> Piet de Keyser
>
> UC Leuven-Limburg
>
> Belgium
>
> *Van:*isis-users
> [mailto:isis-users-bounces+piet.dekeyser=ucll.be at iccisis.org]
> *Namens *fred train
> *Verzonden:* maandag 18 september 2017 15:18
> *Aan:* Isis Comunidad <isis-users at iccisis.org>
> <mailto:isis-users at iccisis.org>
> *Onderwerp:* [Isis-users] ABCD allows delete display format file
> by user with only read-only access
>
> Hello team
>
> We working with ABCD 1.4 and are in the process of defining new
> profiles for our installation.
> We have defined a "read-only" role. In order to give this role an
> option to print/report we have marked option "Print Records".
>
> Unfortunately this option shows a screen with links to Edit/Delete
> a selected PFT file.
> See attached screenshot.
> And the "Delete" button is functional: it deletes the file!!
> The "Edit"button is shown but has no effect. Not dangerous, only
> not nice.
>
> I have tracked this down to code in
> .../www/htdocs/central/dbadmin/pft.php, line 741.
>
>
> echo "<a href=javascript:LeerArchivo(\"\")>".$msgstr["edit"]."</a>
> | <a href=javascript:EliminarFormato()>".$msgstr["delete"]."</a>";
>
> Should be controlled by permissions like:
>
> if (isset($_SESSION["permiso"]["CENTRAL_ALL"]) or
> isset($_SESSION["permiso"]["CENTRAL_EDPFT"]) or
> isset($_SESSION["permiso"][$arrHttp["base"]."_CENTRAL_ALL"]) or
> isset($_SESSION["permiso"][$arrHttp["base"]."_CENTRAL_EDPFT"])){
>
> echo "<a
> href=javascript:LeerArchivo(\"\")>".$msgstr["edit"]."</a> | <a
> href=javascript:EliminarFormato()>".$msgstr["delete"]."</a>";
>
> }
>
> My request is to add this or similar code to new versions of ABCD
> in order to prevent that read-only users can modify anything in
> the database definition files.
> Comments are also welcome.
>
> Thanks and regards
>
> Fred Hommersom
>
>
>
>
>
>
> _______________________________________________
> isis-users mailing list
> isis-users at iccisis.org
> To manage your own subscription options go to: http://lists.iccisis.org/listinfo/isis-users
> Or contact Henk Rutten: hlrutten at xs4all.nl
--
.^. .^.
( ) ( )
=== ===
=[=]================================[=]=
| | Ernesto Spinak | |
| | spinaker at adinet.com.uy | |
| | Montevideo, Uruguay | |
| | tel/fax (598) 2622-3352 | |
| | celular (598) 99612238 | |
=[=]================================[=]=
=== ===
( ) ( )
V V
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.iccisis.org/pipermail/isis-users/attachments/20170918/e45f7d3d/attachment.html>
More information about the isis-users
mailing list