dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #38620
Re: [Bug 1474060] Re: Users able to delete dashboard items without authorization
Awesome, thank you Mortin!
Are there any chances this can be moved back to 2.18?
Timothy Harding
RPCV Vanuatu
Skype: hardingt@xxxxxxxxx
+1 (541) 632-6623
On Thu, Jul 16, 2015 at 12:58 AM, Morten Olav Hansen <
1474060@xxxxxxxxxxxxxxxxxx> wrote:
> Fixed in 2.19/trunk. It still allows moving around the items, but will
> not save the new position.
>
> We will disallow moving the items around in a future version.
>
> ** Changed in: dhis2
> Milestone: None => 2.20
>
> ** Changed in: dhis2
> Assignee: (unassigned) => Morten Olav Hansen (mortenoh)
>
> ** Changed in: dhis2
> Importance: Undecided => Medium
>
> ** Changed in: dhis2
> Status: New => Fix Committed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1474060
>
> Title:
> Users able to delete dashboard items without authorization
>
> Status in DHIS:
> Fix Committed
>
> Bug description:
> Hello Devs,
>
> Saw this occur on a production 2.18 machine by reading the logs,
> Confirmed this on 2.19 using the SL demo site
>
> Steps to recreate:
> 1. Create dashboard with administrator account
> 2. Set public as 'can view'
> 3. Add dashboard item, in my case it was a pivot table
> 4. Log in with user with the following rights:
> - Add/Update Data Value
> - Run validation
> - See Browser Cache Cleaner module
> - See Dashboard integration module
> - See Data Entry module
> - See Data Visualizer module
> - See Event Visualizer module
> - See GIS module
> - See Pivot Table module
> - See Report module
> - See Validation Rule module
> 5. Navigate to dashboard created in Step 1, click remove on any
> dashboard item
> - Note, it usually takes a page reload to reflect the results of this
> action, making it look like nothing happened until the refresh
>
> You should find that the dashboard item(s) is no longer there.
>
> Here is the relevant section of the log from the production 2.18 system:
> * INFO 2015-07-10 18:59:16,625 '[redacted]' delete
> org.hisp.dhis.dashboard.DashboardItem, uid: ov1BR9Hxj0z (AuditLogUtil.java
> [http-bio-8080-exec-276])
> * INFO 2015-07-10 18:59:16,638 '[redacted]' update denied
> org.hisp.dhis.dashboard.Dashboard, name: Principaux, uid: NYmDyNmCqG6
> (AuditLogUtil.java [http-bio-8080-exec-276])
>
> You'll notice the dashboard item was removed, but the subsequent step
> to update the dashboard was denied. As user with proper authority will
> cause the following entries:
>
> * INFO 2015-07-12 17:18:28,794 'timharding' delete
> org.hisp.dhis.dashboard.DashboardItem, uid: P1XHv9Dxfsn (AuditLogUtil.java
> [http-bio-8080-exec-11])
> * INFO 2015-07-12 17:18:28,803 'timharding' update
> org.hisp.dhis.dashboard.Dashboard, name: Baiap Health Centre, uid:
> T7WL4dirz1D (AuditLogUtil.java [http-bio-8080-exec-11])
>
> We'd like it so that the users can see the dashboard but are unable to
> edit the contents. Please let me know if you need any additional info
> to sort this one out. Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1474060/+subscriptions
>
--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1474060
Title:
Users able to delete dashboard items without authorization
Status in DHIS:
Fix Committed
Bug description:
Hello Devs,
Saw this occur on a production 2.18 machine by reading the logs,
Confirmed this on 2.19 using the SL demo site
Steps to recreate:
1. Create dashboard with administrator account
2. Set public as 'can view'
3. Add dashboard item, in my case it was a pivot table
4. Log in with user with the following rights:
- Add/Update Data Value
- Run validation
- See Browser Cache Cleaner module
- See Dashboard integration module
- See Data Entry module
- See Data Visualizer module
- See Event Visualizer module
- See GIS module
- See Pivot Table module
- See Report module
- See Validation Rule module
5. Navigate to dashboard created in Step 1, click remove on any dashboard item
- Note, it usually takes a page reload to reflect the results of this action, making it look like nothing happened until the refresh
You should find that the dashboard item(s) is no longer there.
Here is the relevant section of the log from the production 2.18 system:
* INFO 2015-07-10 18:59:16,625 '[redacted]' delete org.hisp.dhis.dashboard.DashboardItem, uid: ov1BR9Hxj0z (AuditLogUtil.java [http-bio-8080-exec-276])
* INFO 2015-07-10 18:59:16,638 '[redacted]' update denied org.hisp.dhis.dashboard.Dashboard, name: Principaux, uid: NYmDyNmCqG6 (AuditLogUtil.java [http-bio-8080-exec-276])
You'll notice the dashboard item was removed, but the subsequent step
to update the dashboard was denied. As user with proper authority will
cause the following entries:
* INFO 2015-07-12 17:18:28,794 'timharding' delete org.hisp.dhis.dashboard.DashboardItem, uid: P1XHv9Dxfsn (AuditLogUtil.java [http-bio-8080-exec-11])
* INFO 2015-07-12 17:18:28,803 'timharding' update org.hisp.dhis.dashboard.Dashboard, name: Baiap Health Centre, uid: T7WL4dirz1D (AuditLogUtil.java [http-bio-8080-exec-11])
We'd like it so that the users can see the dashboard but are unable to
edit the contents. Please let me know if you need any additional info
to sort this one out. Thanks!
To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1474060/+subscriptions
References