Loading...
 
Skip to main content

Trackers, Permission; Permission and tracker properties options are unsafe and need improvements (what about editing?)

Status
Closed
Subject
Trackers, Permission; Permission and tracker properties options are unsafe and need improvements (what about editing?)
Version
25.x
master
Category
  • Conflict of two features (each works well independently)
  • Consistency
  • Feature request
Feature
Permission
Trackers
Resolution status
Out of Date
Submitted by
Bernard Sfez / Tiki Specialist
Lastmod by
Bernard Sfez / Tiki Specialist
Rating
(0)
Description

On a Tiki25, I create a tracker with a username selector to be the owner of the items.

In the tracker properties, I set "User can see his own items".

User can see his own items
The tracker needs a user field with the item-owner activated. No extra permission is needed at the tracker permissions level to allow a user to see just his own items through Plugin TrackerList with the param view=user


And so, user can see his items and I can unassigned any tracker global permission.

I also set Restrict non admins to wiki page access only

Restrict non admins to wiki page access only
Only users with admin tracker permission (tiki_p_admin_trackers) can use the built-in tracker interfaces (tiki-view_tracker.php and tiki-view_tracker_item.php). This is useful if you want the users of these trackers to only access them via wiki pages, where you can use the various tracker plugins to embed forms and reports.


So I understand that only Admins can use the tracker interface.

And it is working fine.

However, if I need user to update their existing items using a modal in a plugin List (tracker-update) or inline-editing format the user see a permission denied.

I have to assign to the group the permission can change item (tiki_p_modify_tracker_items) and this allows users to edit his items on a plugin list.

But now;

  • Restrict non admins to wiki page access only as no more effect. (user sees the tracker interface (/trackers | list, the tracker content | /tiki-view_tracker.php?trackerId=xx and /itemxx | the tracker item)
  • They can edit any items (other users)


Which is pretty bad because it just cancelled:

  1. User can see his own items
  2. Restrict non admins to wiki page access only


There may be more with the tracker field additional permissions and other workaround, but this is just digging deeper and deeper.

In my point of view, it should be possible for an admin to set that user cannot see the tracker interface and can see/edit only their own items quickly (in the tracker properties) without risking display to one user items of another.

Solution
Workaround
Importance
7
Easy to solve?
5
Priority
35
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
8274
Created
Wednesday 21 December, 2022 06:13:34 UTC
by Bernard Sfez / Tiki Specialist
LastModif
Saturday 31 August, 2024 17:38:13 UTC


Show PHP error messages