Organization members (not-owner) should not see all tokens

[Congyuwang]

Proposal: A member account should not see all the tokens.

Current behavior: After logging in the GUI client using an organisation member's account, I can see all the tokens, including the owner's token. So the member can use the tokens to do whatever the owner can do--such as deleting data that should not be deleted.

Desired behavior: If a member is only allowed for reading and not writing. Then writing tokens and management tokens should be invisible to this member.

Alternatives considered: An alternative is to use tokens to login. So the logged in account has the exact privileges as the token specifies.

Use case: Securities issue. To ensure data safety.

[Congyuwang]

I'm using Safari.

If I log in the Owner's account before logging in the Member's account, the member will see all the Tokens.

If I refresh the website, the problem persists. But if I close and open a new tab, and log in the Member's account, it is fine; the member web's be able to see all the tokens.

[desa]

@Congyuwang can you give us a bit more detail on steps to reproduce this issue.

[desa]

cc @russorat

[Congyuwang]

• First login with an owner’s account.
• Click data->token to see all tokens.
• Log out.
• Log in using a member’s account.
• Click data->token, you do not expect to see tokens, but all tokens are there.

[stuartcarnie]

@aanthony1243 I don't believe this is related to the TSM 1.x port; can you have someone look at this that is familiar with the permissions / API code?

[russorat]

@stuartcarnie @aanthony1243 this is for @desa 's team

[stuartcarnie]

Apologies – I saw it in the "New Issues" of the GA board, so I wanted to make sure it wasn't missed

[stuartcarnie]

I'll pay more attention to the team/* label in the future ;-)

[zoesteinkamp]

Hey i just had the chance to look over this and confirmed with ecommerce, we have no read only members. All members you add to your organization are owners, so we expect them to see all tokens created for that org. We will one day have a read only member, but currently we do not. Can you confirm that the member you log in with the second time is an owner? @Congyuwang

[russorat]

All members you add to your organization are owners, so we expect them to see all tokens created for that org

@zoesteinkamp this is incorrect. Admins can only see their own tokens, not everyone's. For an example, check out our tools cluster. This is still an issue. If one admin logs out, and another admin logs in on the same browser, they will be able to see the other admin's tokens. This still needs to be fixed.