Warehouse users are over privileged

[GoogleCodeExporter]

I logged in to the Indicia Warehouse as a user with administration
privileges to one website.

I was able to see and edit data submitted through other websites. I would
not expect to have access to their data.

Indicia 0.2.4c

Note from John: I think it is pretty simple to fix, just by adding
$this->auth_filter = $this->gen_auth_filter; to the sample controller and
occurrence controller, and making sure the gv_* views for these (which get
the grid data) have the website_id as a column.

Original issue reported on code.google.com by ja...@ceh.ac.uk on 19 Feb 2010 at 2:18

[GoogleCodeExporter]

In a similar vein, as a website admin, I can change custom attributes affecting
websites to which I have no rights. And, presumably, only core admins should be 
able
to create/edit attributes available to all sites.

Original comment by ja...@ceh.ac.uk on 22 Feb 2010 at 4:53

[GoogleCodeExporter]

Original comment by johnvanb...@gmail.com on 26 Feb 2010 at 8:21

• Added labels: Priority-High, Security
• Removed labels: Priority-Medium

[GoogleCodeExporter]

The whole system needs a review in this respect, so I started at the species
checklist menu entry as it is the first! Quite a few fixes implemented - non 
core
admin can only select websites they have rights to, and cannot edit warehouse 
owned
checklists. I've ownly done these fixes at the list level and haven't looked at 
the
list content yet - as a non-core admin should not be able to change the content 
of a
warehouse owned list.

Just a start...

Original comment by johnvanb...@gmail.com on 7 Mar 2010 at 9:42

[GoogleCodeExporter]

A little more work done on this - the list of samples and occurrences now 
filters
down to only the websites you have access to.

Original comment by johnvanb...@gmail.com on 27 Mar 2010 at 11:02

• Changed state: Started