Access to other users' bulk imports

What Wildbook are you working in? ACW

Using a researcher level account, with OrgAdmin level access, I was able to access other users’ bulk imports along with the related match results. I wasn’t able to access either the related encounter or sighting records, which is good. This was for users who were not in the same Organization as the user ID I used.

I don’t think that users should be able to access the bulk imports of users who are not in their organization nor the related match results.

Would it be possible to close what I feel is this bit of a security gap in the system?

Thanks
Maureen

Hi @ACWadmin1

This is a very good point. I am moving this to Feature Requests because while the change in the security code is likely fairly simple, we need some feedback from users around the rules of who should see a bulk import. This has an impact on not only visibility but also on page loading speed as well, depending on the number of security checks that need to be made, some of which may need to go down to the Encounter level. In addition, we would love to have your feedback for Codex as well! :slight_smile:

Questions:

  • Should a user in and organization be able to see all bulk imports of all other users in the org?

  • Should a user in a collaboration with the bulk upload user be able to see the bulk import?

  • Should a user who is assigned an Encounter (via Encounter.submitterID) be able to see the bulk import even if they were not the one who made the bulk import?

  • Should a user who is in a collaboration with another user who is assigned an Encounter (via Encounter.submitterID) be able to see the bulk import even if they were not the one who made the bulk import?

There may be more permutations, but this basic set can help us understand the ideal security constraints that would work for ACW and potentially other platforms.

Thank you,
Jason