Description
A user can see the names/existence of Connection Opportunities in this list that they do not have permission to view. This opens the ability for them to see opportunities that they should not know about, even if they can’t see any details or people assigned within them.
Screenshot of opportunities under the “Absentee” Connection Type from a kidMinistry Volunteer profile:
Screenshot of security roles in which the kidMinistry volunteer is a member:
Screenshot of assigned permissions on the “Adult” absentee opportunity that was visible in the first screenshot above:
Actual Behavior
By selecting a connection type that contains both opportunities that the user does have permission to view and opportunites they do not have permission to view, the user is able to see names/stats for connection opportunities they do not have permission to view when they select "All Opportunities" from the dropdown selection.
Expected Behavior
The "All Opportunities" selection would show all opporunities that the user has permission to view while hiding any opporunities that they do not have permission to view.
Steps to Reproduce
- Create two connection opportunities under one connection type.
- Create two security roles
- Allow "View" access to the connection type for both security roles
- Allow "View" access to the first connection opportunity for the first security role and Deny "View" access to the first connection opportunity for [All Users]
- Allow "View" access to the second connection opportunity for the second security role and Deny "View" access to the second connection opportuntiy for [All Users]
- Provide two users with login credentials and allow "View" access to the pages leading up to the "Connection Opportunities" page
- Log in with each user account and navigate to the connections page.
- Click into the new connection type and see both connection opportunities using both accounts.
Issue Confirmation
Rock Version
19.1 (19.1.7)
Client Culture Setting
en-US
Description
A user can see the names/existence of Connection Opportunities in this list that they do not have permission to view. This opens the ability for them to see opportunities that they should not know about, even if they can’t see any details or people assigned within them.
Screenshot of opportunities under the “Absentee” Connection Type from a kidMinistry Volunteer profile:
Screenshot of security roles in which the kidMinistry volunteer is a member:
Screenshot of assigned permissions on the “Adult” absentee opportunity that was visible in the first screenshot above:
Actual Behavior
By selecting a connection type that contains both opportunities that the user does have permission to view and opportunites they do not have permission to view, the user is able to see names/stats for connection opportunities they do not have permission to view when they select "All Opportunities" from the dropdown selection.
Expected Behavior
The "All Opportunities" selection would show all opporunities that the user has permission to view while hiding any opporunities that they do not have permission to view.
Steps to Reproduce
Issue Confirmation
Rock Version
19.1 (19.1.7)
Client Culture Setting
en-US