@tsteur opened this Pull Request on October 14th 2018 Member

fix #13567

@diosmosis commented on October 15th 2018 Member

Testing locally it seems that even for an admin user it shows the entire list of users in the "Copy dashboard to user" modal. Think this is a security risk.

@tsteur commented on October 15th 2018 Member

I tested locally here and it didn't. Did you test if the users you see are in the same sites as the admin user?

@diosmosis commented on October 15th 2018 Member

I had a single site every user had access to, w/o that site it works (though some users still result in the "Cannot copy dashboard to user" error; they probably don't have access to the site).

@tsteur commented on October 15th 2018 Member

When every user has access to this site, and the user is an admin user, then the user can see all the other users. That's expected. I just tested here again and it works as expected. As admin users you can see all other users that have access to the same site.

say you have

  • site 1 admin access
  • site 2 write access
  • site 3 view access
  • site 4 admin access
  • site 5 admin access
  • site 6 view access

Then you are allowed to see a list of all users that have access to site 1, 4 and 5.

The method UsersManager.getUsers is used to show the list of available users and is also used to validate in the backend.

@diosmosis commented on November 28th 2018 Member

Some test failures, otherwise looks good to merge & works locally

@tsteur commented on November 29th 2018 Member

Fixed the test 👍

This Pull Request was closed on November 29th 2018
Powered by GitHub Issue Mirror