Closed LFrank2021 closed 1 year ago
wilpig
commented
1 year ago The majority of the reports are written against the database directly for speed and do not use the models to access the data and filter based on rights of the caller. An audit should probably be run and issues created individually for each report where applicable.
LFrank2021
commented
1 year ago I fail to comprehend the answer. If someone without any rights (except for the ability to login) cannot see anything I expect them not to be able to export all datacenters and containers and cabinets to an Excel, PDF or other offline medium either.
search_export.php should honor missing authorizations like report_xml_CFD.php does Without authorizations the other reports are not accessible.
Greetings. I just got logged in into my instance without any roles. I can see the datacenters but no Rack entries. "Quit that! You don't have rights to view this." But I can still export everything through the export link.
Is that intentional? Or an issue?
Kind regards Frank