View ProjeQtOr On SourceForge.net
ProjeQtOr - Project Management Tool
Support us on Capterra
OIN - Open Invention Network
ProjeQtOr free project management software - BUG: user administration seems not encapsulated proper - ProjeQtOr
 
 

BUG: user administration seems not encapsulated proper

More
23 May 2011 13:45 #1 by climb4fun
BUG: user administration seems not encapsulated proper was created by climb4fun
Hi Babynus,

unfortunately I discover something strange:

Case:
We have several projects in parallel in projector. Once I entited a project lead for any of the projects, he is able to change all resouces, not only resources assigned (affected) to project. So he is able to change his profile from "project lead" to "adminstrator" or he is able to delete the Administor.

Suggested solution:
A project lead must not be able to
1. set/change a profile to a higher level than project lead.
2. set/change a profile which is higher level than project lead; except assignment to his project.
3. delete a resource with is not only assigned to his project.
4. assign a resource to any project out of the projects he is assigned.

Klaus

Please Log in or Create an account to join the conversation.

More
23 May 2011 23:54 #2 by babynus
Replied by babynus on topic RE : BUG: user administration seems not encapsulated proper
Hi Klaus,

You pointed out a real security issue.
Investigating ...

Babynus.
Babynus
Administrator of ProjeQtOr web site

Please Log in or Create an account to join the conversation.

More
26 May 2011 22:48 #3 by babynus
Replied by babynus on topic RE : BUG: user administration seems not encapsulated proper
Hi,

Resource and Contact screens have been adapted :
- "profile" and "is user" can only be changed by user granted to manage users (by default only admin).
- item can only be deleted by user granted to manage users (by default only admin)

This way :
- project leader cannot change profile of any resource (because it is the user profile)
- project leader cannot add or remove a user

Concerning Affectation, project leader can only manage affectations of resources to his own project.
It has always been implemented this way.

Regards.
Babynus.
Babynus
Administrator of ProjeQtOr web site

Please Log in or Create an account to join the conversation.

More
14 Jun 2011 07:35 #4 by climb4fun
Replied by climb4fun on topic RE : BUG: user administration seems not encapsulated proper
Hello Babynus,

perfect!

Klaus

Please Log in or Create an account to join the conversation.

Moderators: babynusprotion
Time to create page: 0.038 seconds

Cookies settings

×

Functional Cookies

Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.

Session

Please login to see yours activities!

Other cookies

Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.

Login Form