user only have view right on a group type can update a group of that group type via bulk update

[tomrhccc]

Description

user only have view right on a group type can update a group of that group type via bulk update

Actual Behavior

user only have view right on a group type can update a group of that group type via bulk update

Expected Behavior

user only have view right on a group type should not be allowed to update any group of that group type via bulk update

Steps to Reproduce

• configure a security role or user to have view right only on a group type
• run a dataview and select bulk update
• select a action on GROUP
• select the group that the user has view right only
• click next
• click confirm
• verify the group and the group was updated by bulk update

Issue Confirmation

• [X] Perform a search on the Github Issues to see if your bug or enhancement is already reported.
• [X] Try to reproduce the problem on a fresh install or on the demo site.

Rock Version

14.4

Client Culture Setting

en-US

[chead4]

@tomrhccc Hi Tom - Thanks for submitting your first issue. While attempting to recreate the issue, I am in need of some additional details/screenshots to proceed as I want to make sure I have the security settings set up correctly for your issue.

In Group Types/Roles, a role can have Can View and Can Edit selected which allows the role to view or edit regardless of the group type security setting.

It would be appreciated if you could provide a screenshot of your Group Type/Roles settings, the Security setting for the Group Type and more information of the user making the bulk update. Is the user a member or leader of the group?

[tomrhccc]

Hi Colleen, thanks for your prompt response.

Attached please find the steps to recreate the issue.

Please let me know if you need more information.

Thanks Thomas Lai RHCCC

[chead4]

@tomrhccc HI Tom - I am not seeing any attachments; can you please resend them?

[tomrhccc]

Hi Collen,

Re-send with the attachmemt.

Thanks Thomas Lai

[chead4]

@tomrhccc HI Tom - I'm sorry I see that you tried again. Github doesn't display attachments when they come from an email. Could you go to the github issue and add the attachments?

[tomrhccc]

github issue #5749.pdf

[tomrhccc]

No problem, I have added in Github.

Thanks Thomas

[chead4]

@tomrhccc Thanks Tom. Can you share a screenshot of the Church Membership Group Type with Roles expanded and is Phebe a member or leader of the Church Membership Active Member Group?

[tomrhccc]

@.***

Phebe is a member of the Active Member group.

We have other groups with Church Membership group type (see below) and Phebe is not a member but she can still update those groups via bulk update.

@.***

Thanks Thomas Lai

[chead4]

@tomrhccc Thank you for all the details Tom. I was able to recreate the issue.

Just one final note as I know this was your first issue created. Rock is all about community. A key part of strengthening this bond is knowing who we're engaging with. Could I ask you to include your name, organization, and a photo on your GitHub profile? It's a simple way to put faces to names, fostering a more connected and personal community atmosphere.

[DTS-Mike]

@chead4 We just tested the fix 7b9cc17 and this has not made any difference for @tomrhccc. Please let us know if there is a way to help. I can get screen shots but they wont be any different than what is already provided.

[nairdo]

@DTS-Mike I tested this again. Are you sure the people are actually being added to the group -- or does the Bulk Update just say that "## people were successfully updated."

Screenshot showing Phebe does not have edit access or edit member access:

Screenshot showing Phebe attempting to use BulkUpdate to put people into that group.

Screenshot showing result of BulkUpdate

If that's what you are reporting, that is a bit different.

Since a BulkUpdate can have many things happening at once, I don't believe the feature is structured in such a way as to report what it was not able to do, but I would encourage you to submit a change request or idea over at https://community.rockrms.com/ideas-changes.

[DTS-Mike]

@nairdo to be honest I never hit the last button when it asked "Are you sure you want to bulk update 28 people" and assumed the user would have been stopped before this. I tested the change and the people are NOT added to the new group like you are showing. I will have to ask @tomrhccc but he was under the impression that Phebe would not have seen the groups in the group picker if the user did not have manage member rights. I will ask what he is looking for and if so we might submit an Idea/change request.
Thanks for the snappy response!