Trackers, Permission; Permission and tracker properties options are unsafe and need improvements (what about editing?)
- Status
- Open
- Subject
- Trackers, Permission; Permission and tracker properties options are unsafe and need improvements (what about editing?)
- Version
- master
25.x
26.x - Category
- Feature request
- Consistency
- Conflict of two features (each works well independently)
- Feature
- Trackers
Permission - Resolution status
- Confirmed
- Submitted by
- Bernard Sfez / Tiki Specialist
- Lastmod by
- Bernard Sfez / Tiki Specialist
- Rating
- Description
On a Tiki25, I create a tracker with a username selector to be the owner of the items.
In the tracker properties, I set "User can see his own items".
User can see his own items
The tracker needs a user field with the item-owner activated. No extra permission is needed at the tracker permissions level to allow a user to see just his own items through Plugin TrackerList with the param view=user
And so, user can see his items and I can unassigned any tracker global permission.I also set Restrict non admins to wiki page access only
Restrict non admins to wiki page access only
Only users with admin tracker permission (tiki_p_admin_trackers) can use the built-in tracker interfaces (tiki-view_tracker.php and tiki-view_tracker_item.php). This is useful if you want the users of these trackers to only access them via wiki pages, where you can use the various tracker plugins to embed forms and reports.
So I understand that only Admins can use the tracker interface.And it is working fine.
However, if I need user to update their existing items using a modal in a plugin List (tracker-update) or inline-editing format the user see a permission denied.
I have to assign to the group the permission can change item (tiki_p_modify_tracker_items) and this allows users to edit his items on a plugin list.
But now;
- Restrict non admins to wiki page access only as no more effect. (user sees the tracker interface (/trackers | list, the tracker content | /tiki-view_tracker.php?trackerId=xx and /itemxx | the tracker item)
- They can edit any items (other users)
Which is pretty bad because it just cancelled:- User can see his own items
- Restrict non admins to wiki page access only
There may be more with the tracker field additional permissions and other workaround, but this is just digging deeper and deeper.In my point of view, it should be possible for an admin to set that user cannot see the tracker interface and can see/edit only their own items quickly (in the tracker properties) without risking display to one user items of another.
- Importance
- 7
- Easy to solve?
- 5
- Priority
- 35
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Accessing the Tiki instance that demonstrates this bugThe URL for the show2.tiki.org instance that demonstrates this bug is at: http://bsfez-11581-8274.show2.tiki.org. Note that if you get a popup asking for a username/password, please just enter "show" and "show". This is different from the initial login and password for a new Tiki which is "admin" and "admin".
For the install log, see http://bsfez-11581-8274.show2.tiki.org/info.txt
Note that if you see PHP errors or a Tiki claiming to be missing third party software, the instance creation is probably not finished. Please wait a couple minutes and reload.
SnapshotsSnapshots are database dumps of the configuration that developers can download for debugging. Once you have reproduced your bug on the show2.tiki.org instance, create a snapshot that can then be downloaded by developers for further investigation.
Snapshots can be accessed at: http://bsfez-11581-8274.show2.tiki.org/snapshots/. Note that if you get a popup asking for a username/password, please just enter "show" and "show".
Create new snapshot - Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is currently unavailableUnable to connect to show.tikiwiki.org. Please let us know of the problem so that we can do something about it. Thanks.
- Ticket ID
- 8274
- Created
- Wednesday 21 December, 2022 06:13:34 GMT-0000
by Bernard Sfez / Tiki Specialist - LastModif
- Wednesday 21 December, 2022 07:05:02 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Installation process of Tiki from git doesn't complete anymore and end with Fatal error
- Page description, when activated, is always used in browser title display mode
- Anonymous user can't switch perspectives - new permission needed.
- Better colors for the text color toolbar tool in Tiki
- line 1504 of wikiplugin_img.php appends px regardless of what width is
;){kind=link}
;){kind=link}