petednz
commented
7 years ago I tested this be becoming a use that has civicrm access but zero access to cases. they could see all entries on the Documents Tab, and download the files.
Open petednz opened 7 years ago
petednz
commented
7 years ago I tested this be becoming a use that has civicrm access but zero access to cases. they could see all entries on the Documents Tab, and download the files.
petednz
commented
7 years ago when as the same user i tried to access a file that had been uploaded via an Activity on a Case I got 403.
jaapjansma
commented
7 years ago @petednz you mean that documents which belong to a case could be seen on the document tab of the contact record?
petednz
commented
7 years ago per my notes in chat. Yes. A person with no Case permissions can see/access the documents that were uploaded via a Case. Is this 'new' territory that needs work on, or something that did work, or you expected to work, and has regressed? Happy to put some resources on to this.
jaapjansma
commented
7 years ago It is something that needs work. I do think that the use case should be that the user can only see documents on cases which is allowed to see (e.g. permission see only my cases, or all cases)
jaapjansma
commented
3 years ago The documents belonging to case are not shown on the contact tab.
If we upload a document on an Activity via a Case then i presume access to it is protected - or at least it is hard to find.
but if it also shows on the Document tab, can other people 'see' it even if they don't have access to the case