akvo / akvo-flow

A data collection and monitoring tool that works anywhere.
http://akvo.org/products/akvoflow/
GNU Affero General Public License v3.0
65 stars 31 forks source link

Unauthorized user can edit/update cascade resources #3920

Closed jkisioh closed 2 years ago

jkisioh commented 2 years ago

Context

Flow allows admin users to define roles with access levels for cascade resources such that you can limit who is able to edit/update or publish the cascade resources thus controlling the changes done to those resources.

image

Problem or idea

Current checks show that as long as a user has been assigned any role they are able to access the cascade resources and make changes even when they don't have the implicit permission to do so.

image

Solution or next step

Further investigation needed to find a fix for this.