[BUG] permission issues. Managers & Editors can access too much data. #2465
Comments
|
Should be fixed in 3.1.3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
What set up are you using
With the editor role I was able to CR(UD) ob projects by calling the link directly https://my-domain/projects/showAll despite according to the documentation https://github.com/Leantime/docs/blob/master/using-leantime/user-management.md this should not be possible. Was even able to assign the project to client's outside of the client scope of the user.
This page should be linked to managers? But it is not linked? So how can managers CRUD projects (as they are supposed to?)
Maybe CRUD on projects should only work to client related projects?
/timesheets/showAll is also visible for a "Manager" and you can see all clients (so a manager of client A can see who are ALL the other clients) and also projects can be seen through the dropdown.
Manager also have access to /plugins/marketplace and I can even click on "install" after entering a license code
Expected behavior
It would be cool if only what should be accessable is visible.
Also there needs to be a link to projects for managers.
Leantime Version
v3.1.1
Server
Apache, nginx with apache proxy (managed by Plesk)
PHP / MySQL Version
8.3
The text was updated successfully, but these errors were encountered: