search

kimai / Paid-plugins

Support for paid Kimai plugins: Discussions and feature requests
https://www.kimai.org/store/
11 stars 1 forks source link

Limit Tasks view by Teams/Projects to prevent Data Leakage #85

Open bigvictorio opened 1 year ago

bigvictorio commented 1 year ago

Hello,

TLDR: I want to "sort" or be able to see tasks by Teams/Projects so I can prevent data leakage. Like it's working in the Expenses plugin. Right now, users see tasks from other Teams/Projects even though they are not part of that Team. (For example, if they open Search settings, and click on customers that they can filter into, there is no one. However, they can for some weird reason see other projects/teams/customers in the task tab. Its rendering even though it should not.)

Plugin version: Task Management Bundle 2.1.7 Hosted: locally

I have three users in my kimai Instance: "JO", "JD", "AS". These users belong to userRole "role" (default kimai role) that has permissions such as task_assign, task_details, task_view, and view_other_timesheet Also, I have

To understand what I'm trying to do: I have a customer that I would like to give access to my kimai app. That customer needs to see all timesheet records (All Times), Expenses, and All tasks only for that specific customer

In this scenario, how I have configured roles_permissions, user JO can view all timesheets (All Times) from team "Dog Team". But I can't see anywhere else. And can view timesheets that other users generate for this team. This also works in the expenses plugin that user JO can view only expenses added to team "Dog Team" but not anything else.

However, I'm struggling with the Tasks view. I want that User JO can view only tasks for Customer/Project/Activity/Team "Dog Team" but also can view tasks that other users created/have assigned to them. image

When creating a task, I tried adding that task to specific teams, but that didn't work. I also tried not assigning a user to this task. However, this is not practical, as

I tried searching all GitHub, documentation. Tried this on my locally hosted kimai instance and also on an empty kimai demo from kimai.org, but it doesn't work.

It seems like the tasks plugin is built differently than TimeSheet (let"s call it plugin) or Expenses plugin because there it is working. like I would need it for this scenario?

Maybe a better explanation: I want to "sort" or be able to see tasks by Teams/Customers/Projects so I can prevent data leakage, like in the Expenses plugin. Because right now, users see tasks from other Teams even though they are not part of that Team. (In the filter setting, they can't see other Customers/Projects, but in Tasks, they can see it, it is rendering.)

Also, I would like to not be dependent on assigning tasks to teams manually. It should automatically assign that "team" by project. (Like it works in the Expenses or in the TimeSheets.) image And even if I don't select a project, it just stops showing for the correct User and starts showing for the non-correct User.

Does anyone have some advice on how I could make this work? Or the tasks plugin would need some update in the code for another permission that would allow this scenario to work.

Thanks Have a nice day :)

bigvictorio commented 1 year ago

Update: The Tasks plugin is probably built differently like the Expenses plugin or the Main Kimai Core.

I wanted to give some external users access to my Kimai instance. So I could create a specific Customer + Team + Project, grant them access there, and they could see All Times + Expenses + Task for that Customer/Team/Project.

I spent hours on this. Testing od empty-dev, on my instance. Either way, I could have working All Times + Expenses, but then there was a data leak in the tasks. Or I could have working Only tasks. Tasks were more important to me right now, so I decided to share for external users, only the Dashboard and Tasks menu. (And sharing All Times with Shared Projects plugin via password-protected link)

kevinpapst commented 1 year ago

This is important, I will Check it

bigvictorio commented 1 year ago

I'm trying to rewrite it into a more understandable issue. Because this is not written very well.

bigvictorio commented 1 year ago

Hello Kevin,

maybe the title should be: multiple users in the same team, that one has different team causes data-leakage from team-leader perspective. Also not possible to use Teams with All-Times/Expenses/Tasks due to data-leakage from the team-leader via the Tasks plugin.

I apologize but this is a longer post to explain everything in detail and simply as possible i can 😃

I'm running a self-hosted kimai instance with the bought Tasks and Expenses plugin, however, for this demonstration, I'm using kimai-cloud. Local instance: Kimai version: 2.0.3.1 (prod), PHP version: 8.1.2-1ubuntu2.9, Task management plugin version: 2.1.7, Expenses tracking plugin version: 2.2.1

What's my problem?

If I set my external users to access All Times + Expenses + Tasks, for specific team/project/customer, there is some data-leakage mainly from the Tasks plugin. External users can either have access to All Times + Expenses or just Tasks for everything to work correctly. (From my point of view, it seems like Tasks plugin is built different than kimai core or Expenses plugin because it doesn't make sense that just one thing is not working as the other two).

I spent at least 20 hours testing and trying to figure this out alone. I browsed all kimai documentation + for each plugin, permission. Endlessly browsed through kimai repositories in Github including Discussions and Issues, before making this post, but it seems like I'm first with this use-case and no one has this problem as I have.

What i am trying to achieve?

Access for external customers so they can see recorded entries (from the internal team, in this example that is the "parrot team") for All-Times, Expenses and Tasks. External customers should only see into All-Times and Expenses. However, external people should be able to create Tasks, edit tasks, write comments, and that's it. So kimai cold be use more as "customer portal" and not be dependable on "shared-projects plugin that works via url-link and doesnt show expenses" or just from invoices. But so customers could see everything in real time. Generally speaking external people should be able to see entries for their assigned Team/Project/Customer, and nothing else.

A Possible configurations that I tried gave me some results but nothing working 100% correctly

I color-coded Chrome profiles for users.: (red is for 'cat user', yellow for 'dog user', green for 'parrot_1 user', blue for 'parrot_2 user') However, if you get lost, there is on the new tab written current user this chrome profile belongs to and is logged into kimai. At each configuration, I wrote current permissions/user organization under this text for exact replication. Under each of these options, there are some changes in the group management/permissions.

1.) Configuration: external users see All-Times, Expenses, and Tasks, but there is a massive data leak under the tasks plugin:

General Configuration:

I have 4 users + me (as a global admin only for config), 3 customers, 3 projects, 3 teams, and 1 global activity called "problem-solving"

"cat user" and "dog user" are members of the "user group" (a default kimai roles group). With permissions: _view_expense, task_details, task_edit_other, task_edit_own, task_team_view, task_view, view_other_timesheet, view_ownprofile. Everything else is selected as NO

"parrot_1 user" and "parrot_2 user" are members of the "Administrator group" in kimai. With permissions: default permissions from the new Kimai instance for the ADMINISTRATOR role

In the documentation for the tasks plugin, there is written:

users that own the task_view permission but NOT view_other_timesheet will only see own/assigned tasks

that is true unless a user is the teamleader of the group. _(For testing, i set view_othertimesheet to NO**)** In the "cat team," I have teamleader: "cat user" and a member: "parrot_2 user". In All Times + Expenses, the "cat user" can see only their entries.

However, on the Tasks page: "Cat user" can see all the tasks from the "parrot_2 user". NOT ONLY FROM "cat team/customer", BUT ALSO FROM another team/customer "parrot_2 user" is part of. This should be somehow blocked, because it points to another company. So maybe some security check would be helpful before displaying it.

image I tried to limit the view by setting team for that task, but it seems like Teamleader has higher priority than team setting for that task, so in this config, it doesn't care and shows what it should not.

Another thingy:

If I change the user in cat_task#4 to "dog user", that task will stop displaying for "cat user" even though is for that specific customer. However, the "dog user" is not part of the "cat team" so this is probably correct behavior. However, now there is a data leak from the "dog user" point of view because he sees another company's tasks.

(This is maybe far-fetched but for me, it doesn't make any sense for this leakage. I read somewhere in the documentation hierarchy of things what comes first in kimai such as projects and then everything else so this doesn't make sense to me)

POV of "dog user" after changing assigned user in cat_task#4 from "cat user" to "dog user": image

So,

After I set view_other_timesheet as Yes, "cat user" can see in the All Times + Expenses: only see entries from "Cat customer/Cat Team" from "cat user", "parrot_2 user" (because they are from the same team. However, "cat user" doesn't see any entries from "dog user" team/project/customer he's part of) Also, any entry from "dog user" or "parrot_1 user" is not visible because they are not members of the "cat team". So, this is working correctly, but the view_other_timesheet option doesn't change a thing in the tasks plugin, with team-leaders configuration.

Pov for All-Times + Expenses from "cat user": image

2.) Configuration: setting someone else/no-one as a team leader?

Maybe but no for me. It fixes a problem with data leaking from tasks, but the whole point of seeing All-Times and Expenses then goes away. Users will lose the privilege of seeing all tasks and you have to manually assign a team for that task. In this configuration:

"cat user" and "dog user" are members of the "user group" (a default kimai roles group). With permissions: task_details, task_edit_other, task_edit_own, task_team_view, task_view, view_own_profile "parrot_1 user" and "parrot_2 user" are members of the "Administrator group" in kimai. With permissions: default kimai administrator permissions

In this example, the permission task_team_view is saving my butt, because at least I can assign a team for that task so external users such as „cat user“ can see something without leaking data. When creating a task and If the "cat user" is only the member of the "cat team", and the "parrot_2 user"(who is Administrator) is the teamleader, the "cat user" won't see every task. In that case, I have to assign every task "team" in the "Team column" as an extra step just so the "cat user" can see it. And don't forget that if someone has a bad Monday, and forgets to set Team for that task, „cat user won't see it“ For infrequent times, setting teams for tasks it's okay. Someone maybe will say it's just one click it won't kill you (I agree). But I'm trying to prove my point it wont allow the "cat user" to see All-Times, and Expenses from anyone else without data-leakage.

(Also, I see a possible use-case for this(it’s a feature, not a bug), if there are some tasks I don't want my "cat user" to see. So I just won't assign the team. However, if I don't want "cat user" to see it, I can assign that task to my internal project "parrot team/project/customer/" so this doesn't make much sense)

POV of „cat user“. He can see his own created tasks. And everybody else (either admin, non admin) that assigns „cat team“ in the team column for that task. But since the „cat user“ is not a team-leader, can see everything in All-Times + Expenses image

But as said for a billionth time above, if the user (e.g. "cat user" is team-leader for some group, there is just data-leakage)

Also, it is possible to create a team without team-leader In this application, I'm currently using a bug in Kimai that is not fixed yet, especially a bug with teams. I did not test that, because I was worried about another data leakage, so I created some users just to be teamleader for all the teams as non-usable accounts. But, when the admin is creating a Team through System -> Teams, the admin has to define a team-leader as a mandatory option. However, we can skip this team-leader. After creating a team with teamleader, we can go through System -> users, deselect users teams and we will end up with a team without any user/team-leader (also no error in the log, just works 😄 )

Some other limitations?:

Also, there is a limitation that to view either tasks, all-times, or expenses, is that internal users ("parrot team") have to be part of each team "cat team"/"dog team"/ any-other-team, for external users to see their entries. That is difficult if your company has a big internal/external user/project/teams list.

My idea/solution would be some team, that you can set as primary. Or maybe it can be more understandable as an inheritance (Parent team). "Parrot teams" would be as primary/parent, and other teams (eg. "cat team", "dog team") will be as children, and would inherit from their parents. So the internal user will be just part of the "team parrot", every other team will see that user as if he was part of every other team: cat and dog. This is in context co if I am a member of the primary/parent team, other users who are part of the secondary/child team can see my entries in All-Times/Expenses. If I decide to make the "Parrot team" my internal team, I will just give it access to all customers/projects, and tasks/all-times/expenses should be treated in the same way as if I were a member of the dog/cat company (right now I could not find this functionality)

Conclusion:

  1. We learned that if a user is a team-leader with view_other_timesheet, there is a data-leak from the team-leader's perspective. The tasks plugin needs some fixing. Preferably some security check:
    • If there is a task from another user, but I don't have permissions for that specific team/project/company, won't render it. Just like it works in the main kimai core (All-Times) and also the Expenses plugin. For example: I'm user "cat user". I'm team-leader of the "cat team" that has only set access for "cat customer" and "cut project". In my "cat team," there is also a "dog user". However, "dog user" is a member/team-leader for "dog team". "dog team" has granted access only to "dog project" and "dog customer". I think the correct behavior should be, that the tasks plugin will check if: I (as a user), which teams I'm part of. Then this team will check granted access for customers/projects. And if I as a teamleader find some entry, from another user that is part of another team that I don't have access to, just don't display it. (Just like it works in the main Kimai core (All-Times) and Expenses plugins))
    • Or generally, if this is a bad idea, focus the Tasks plugin more on Project/Teams/Customers such as in All-Times or Expenses (I understand, maybe some users or managers love this feature that they can see everything under their "employees", but in my opinion, they should have some specific permission for this, or just be System-Administrator or view_all_data).
  2. Consider adding some hierarchy. (As in the Some other limitations?: heading). This would probably save some of your bigger customers a lot of time and also foolproof it for the future
  3. Also some other points to the tasks plugin:
    • The team column under task setting can be as it is. Maybe consider auto-filling teams setting? (Some settings for the tasks plugin would be nice)
    • auto-filling username? When the role has "task_edit_other" permission set to no, the task automatically assigns a user as created by the user. If I create a new task, from the dashboard widget I get assigned as a task user. However, from the task menu, I have to manually assign the user. Maybe add a new button as there are two buttons in All-Times. "Create" and "+ for multiple users". Create would automatically set me as a task owner, and "for multiple users" would allow you to set it to someone. Also futureproofing for multiple users in tasks would be nice.

I'm sorry if I over-explained, and kept repeating myself, or if this text sounded a little angry. Kimai is an awesome app, from an awesome developer that is amazing ❤️

kevinpapst commented 1 year ago

Wow, 1000% thank you for all your effort in researching and writing this up.

But if you try to look at your post from the outside: do you get it? do you think is an appropriate level of detail?

Can you add a management summary? What are the most important points of your post?

bigvictorio commented 1 year ago

But if you try to look at your post from the outside: do you get it? do you think this is an appropriate level of detail?

If that helps at least not waste more of your time, I can edit it so it will be more brief and clear

Maybe it was a loss of some time but this helped me a better understanding of this problem. I understand it is a long post 🥲 and this was maybe not necessary. But at least i had fun time trying to write something about it 😁

What are the most important points of your post?

In TLDR: if a user is a team-leader, under All-times and Expenses can see other user entries just for specific customer. However in the tasks, he can see everything, such as different customers/projects/ that in my opinion should not be seen and there goes the data leakage. The most important parts are: Conclusion heading and Some other limitations?: heading

I recognized the most obvious problem is in the handling of team-leader for the tasks plugin and how it does not cooperate with another part of your app (maybe this is planned behavior, in the documentation for tasks or in the store there was nothing about it how its designed to work.

Can you add a management summary?

Can you expand on this a little bit more?