Skip to content

[Instruments] Site/Project permission issues #6880

New issue
New issue
Open
Open
[Instruments] Site/Project permission issues#6880
Assignees
shonibare
Labels
Category: BugPR or issue that aims to report or fix a bugCategory: SecurityPR or issue that aims to improve securityModule: instrumentsPR or issue related to instruments module
@laemtl

Description

@laemtl
laemtl
opened on Aug 3, 2020

Users can have access to candidates' information they don't have permission to access if they have the direct link.
(ex: /instruments/aosi/?candID=300258&sessionID=1578&commentID=DDE_300258OTT2581578261524668110)

To reproduce

  • Login with the admin user, go to Reports > Statistics > Behavioural
  • Click Click here for breakdown per participant or Click here for breakdown per participant
  • Click on a candidate from a particular site/project and save the url
  • Login with another user with no permission for that particular site/project
  • User can see the page

Closely related to #6934

Metadata

Metadata

Assignees

Labels

Category: BugPR or issue that aims to report or fix a bugCategory: SecurityPR or issue that aims to improve securityModule: instrumentsPR or issue related to instruments module

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions