dhis2-devs team mailing list archive

Thread
Date
Re: [Bug 1474060] Re: Users able to delete dashboard items without authorization

To: dhis2-devs@xxxxxxxxxxxxxxxxxxx
From: hardingt <hardingt@xxxxxxxxx>
Date: Fri, 17 Jul 2015 03:52:47 -0000
Reply-to: Bug 1474060 <1474060@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Awesome, thank you so much Morten!

Timothy Harding
RPCV Vanuatu
Skype: hardingt@xxxxxxxxx
+1 (541) 632-6623

On Thu, Jul 16, 2015 at 7:08 PM, Morten Olav Hansen <
1474060@xxxxxxxxxxxxxxxxxx> wrote:

> This have now been backported to 2.18, please give it one hour to build
> and push new WAR to dhis2.org
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1474060
>
> Title:
>   Users able to delete dashboard items without authorization
>
> Status in DHIS:
>   Fix Committed
>
> Bug description:
>   Hello Devs,
>
>   Saw this occur on a production 2.18 machine by reading the logs,
>   Confirmed this on 2.19 using the SL demo site
>
>   Steps to recreate:
>   1. Create dashboard with administrator account
>   2. Set public as 'can view'
>   3. Add dashboard item, in my case it was a pivot table
>   4. Log in with user with the following rights:
>   - Add/Update Data Value
>   - Run validation
>   - See Browser Cache Cleaner module
>   - See Dashboard integration module
>   - See Data Entry module
>   - See Data Visualizer module
>   - See Event Visualizer module
>   - See GIS module
>   - See Pivot Table module
>   - See Report module
>   - See Validation Rule module
>   5. Navigate to dashboard created in Step 1, click remove on any
> dashboard item
>   - Note, it usually takes a page reload to reflect the results of this
> action, making it look like nothing happened until the refresh
>
>   You should find that the dashboard item(s) is no longer there.
>
>   Here is the relevant section of the log from the production 2.18 system:
>   * INFO  2015-07-10 18:59:16,625 '[redacted]' delete
> org.hisp.dhis.dashboard.DashboardItem, uid: ov1BR9Hxj0z (AuditLogUtil.java
> [http-bio-8080-exec-276])
>   * INFO  2015-07-10 18:59:16,638 '[redacted]' update denied
> org.hisp.dhis.dashboard.Dashboard, name: Principaux, uid: NYmDyNmCqG6
> (AuditLogUtil.java [http-bio-8080-exec-276])
>
>   You'll notice the dashboard item was removed, but the subsequent step
>   to update the dashboard was denied. As user with proper authority will
>   cause the following entries:
>
>   * INFO  2015-07-12 17:18:28,794 'timharding' delete
> org.hisp.dhis.dashboard.DashboardItem, uid: P1XHv9Dxfsn (AuditLogUtil.java
> [http-bio-8080-exec-11])
>   * INFO  2015-07-12 17:18:28,803 'timharding' update
> org.hisp.dhis.dashboard.Dashboard, name: Baiap Health Centre, uid:
> T7WL4dirz1D (AuditLogUtil.java [http-bio-8080-exec-11])
>
>   We'd like it so that the users can see the dashboard but are unable to
>   edit the contents. Please let me know if you need any additional info
>   to sort this one out. Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1474060/+subscriptions
>

-- 
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1474060

Title:
  Users able to delete dashboard items without authorization

Status in DHIS:
  Fix Committed

Bug description:
  Hello Devs,

  Saw this occur on a production 2.18 machine by reading the logs,
  Confirmed this on 2.19 using the SL demo site

  Steps to recreate:
  1. Create dashboard with administrator account
  2. Set public as 'can view'
  3. Add dashboard item, in my case it was a pivot table
  4. Log in with user with the following rights:
  - Add/Update Data Value
  - Run validation
  - See Browser Cache Cleaner module
  - See Dashboard integration module
  - See Data Entry module
  - See Data Visualizer module
  - See Event Visualizer module
  - See GIS module
  - See Pivot Table module
  - See Report module
  - See Validation Rule module
  5. Navigate to dashboard created in Step 1, click remove on any dashboard item
  - Note, it usually takes a page reload to reflect the results of this action, making it look like nothing happened until the refresh

  You should find that the dashboard item(s) is no longer there.

  Here is the relevant section of the log from the production 2.18 system:
  * INFO  2015-07-10 18:59:16,625 '[redacted]' delete org.hisp.dhis.dashboard.DashboardItem, uid: ov1BR9Hxj0z (AuditLogUtil.java [http-bio-8080-exec-276])
  * INFO  2015-07-10 18:59:16,638 '[redacted]' update denied org.hisp.dhis.dashboard.Dashboard, name: Principaux, uid: NYmDyNmCqG6 (AuditLogUtil.java [http-bio-8080-exec-276])

  You'll notice the dashboard item was removed, but the subsequent step
  to update the dashboard was denied. As user with proper authority will
  cause the following entries:

  * INFO  2015-07-12 17:18:28,794 'timharding' delete org.hisp.dhis.dashboard.DashboardItem, uid: P1XHv9Dxfsn (AuditLogUtil.java [http-bio-8080-exec-11])
  * INFO  2015-07-12 17:18:28,803 'timharding' update org.hisp.dhis.dashboard.Dashboard, name: Baiap Health Centre, uid: T7WL4dirz1D (AuditLogUtil.java [http-bio-8080-exec-11])

  We'd like it so that the users can see the dashboard but are unable to
  edit the contents. Please let me know if you need any additional info
  to sort this one out. Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1474060/+subscriptions
References

[Bug 1474060] [NEW] Users able to delete dashboard items without authorization
From: hardingt, 2015-07-13
[Bug 1474060] Re: Users able to delete dashboard items without authorization
From: Morten Olav Hansen, 2015-07-17