Using a researcher level account, with OrgAdmin level access, I was able to access other users’ bulk imports along with the related match results. I wasn’t able to access either the related encounter or sighting records, which is good. This was for users who were not in the same Organization as the user ID I used.
I don’t think that users should be able to access the bulk imports of users who are not in their organization nor the related match results.
Would it be possible to close what I feel is this bit of a security gap in the system?
This is a very good point. I am moving this to Feature Requests because while the change in the security code is likely fairly simple, we need some feedback from users around the rules of who should see a bulk import. This has an impact on not only visibility but also on page loading speed as well, depending on the number of security checks that need to be made, some of which may need to go down to the Encounter level. In addition, we would love to have your feedback for Codex as well!
Questions:
Should a user in and organization be able to see all bulk imports of all other users in the org?
Should a user in a collaboration with the bulk upload user be able to see the bulk import?
Should a user who is assigned an Encounter (via Encounter.submitterID) be able to see the bulk import even if they were not the one who made the bulk import?
Should a user who is in a collaboration with another user who is assigned an Encounter (via Encounter.submitterID) be able to see the bulk import even if they were not the one who made the bulk import?
There may be more permutations, but this basic set can help us understand the ideal security constraints that would work for ACW and potentially other platforms.
Hi @jason, I was just looking for some info on OrgAdmin and found this unanswered set of questions from you. Apologies for never getting back to you on this - how rude! Here are my very belated answers:
Should a user in and organization be able to see all bulk imports of all other users in the org?
For ACW, no. Only an OrgAdmin should be able to see the bulk imports of other users from the same org
Should a user in a collaboration with the bulk upload user be able to see the bulk import?
Yes
Should a user who is assigned an Encounter (via Encounter.submitterID) be able to see the bulk import even if they were not the one who made the bulk import?
Yes for ACW but I’m not sure for non-ACW Wildbook users. It’s rare in ACW that a user who uploaded the bulk import isn’t also the user who is assigned the encounter(s) via Encounter.submitterID
Should a user who is in a collaboration with another user who is assigned an Encounter (via Encounter.submitterID) be able to see the bulk import even if they were not the one who made the bulk import?
Yes, for ACW users. Again, not sure about non-ACW Wildbook users
