Hi @Anastasia, @jason & @Marine_Ingwe - I thought we’d fixed the bulk import access issue that I believe Marine is referring to, a while back but it looks like I’m mistaken. Here’s a link to the ticket I submitted on the topic last year, with a follow up in April this year: Access to other users' bulk imports
@anastasia & @jason - I originally posted this as an issue/bug because if there’s no collaboration between users, there should be no access to each other’s bulk imports. But it got converted to a feature request due to some follow up questions from Jason.
But I still feel it’s a security issue that needs to be fixed urgently, not a feature request.
What I believe Marine is referring to can be reproduced as follows:
- Log in using a researcher-only level account
- Go to the Bulk import logs
- Click on the bulk import of a user that you do not have a collaboration with
The result is that you can access the detailed bulk import page & you can open all of the match results pages.
I tested this and it works - let me know and I can share via email the user IDs I used for this test. When I try to confirm a match or open an encounter record or sighting page related to the other user’s bulk import and/or match results page, I get the access is unauthorized -type message. So I don’t have full access to the other user’s data but I have access I don’t believe a researcher-level user should have - I can open and review their bulk import details & related match results pages.
This problem is aggravated by something I think is fairly new because I haven’t noticed it before today.
Previously, the bulk import logs were separated into 2 different screens:
- My bulk imports
- Other users’ bulk imports - accessible by clicking on a link at the top of the page for (1) above
Today, I see that all bulk imports are combined on the same landing page when you click to go to Bulk import logs. Which makes other users’ bulk imports more immediately available than previously. I’m guessing this is why Marine discovered that she can access other user’s bulk imports (users with whom she does not have a collaboration) when she hadn’t noticed previously.
Other users will find this quickly as well and so I suspect we’ll start to hear from others shortly, reporting the same issue.
All the users I know will not want to see that users they don’t have collaborations with can access their bulk imports, even if they can’t edit it, etc.
So a fix would be very much appreciated.
thanks
Maureen
cc: @PaulK