Rock
Rock copied to clipboard
SparkDevNetwork
Group Detail Lava Block allows viewing Group Member Attributes even with no Security Access
Prerequisites
- [X] Put an X between the brackets on this line if you have done all of the following:
- Did you perform a search at https://github.com/issues?q=is%3Aissue+user%3ASparkDevNetwork+-repo%3ARock to see if your bug or enhancement is already reported?
- Can you reproduce the problem on a fresh install or the demo site?
- Did you include your Rock version number and client culture setting?
Description
If you create a Group Member Attribute at either the Group Type or Group level, and set the View Security so All Users are denied and Admins are the only role allowed, a person without Admin access can still view the Member Attribute from the Group Detail Lava Block. This person can also edit the attribute value.
Here is a different bug referring to Group Attributes - not sure if it is related: #3569
A Picture Is worth a Thousand Words
Steps to Reproduce
- Create (or edit) a Group Member Attribute. Give view security to Admins, and deny access to all users (as in screenshot above).
- Make Ted Decker a leader in the group, and make sure Ted does not have the Admin Security Role.
- Login as Ted Decker (
/myaccount) and select the group from the sidebar. - Edit a Group Member and see that the Group Member Attribute is visible AND editable.
Expected behavior:
A person without the proper security role should not be able to view/edit Group Member Attributes.
Actual behavior:
Person with no security access is able to view/edit Group Member Attributes.
Versions
- Rock Version: [en-US]
- Client Culture Setting: [v13.3, v14.0]
┆Attachments: image.png
@mikedotmundy Can you also provide a screenshot showing the "Edit" security verb settings for that "Secure Hours Serving" attribute. The one shown above is for the "View" security verb.
The https://github.com/SparkDevNetwork/Rock/commit/6f14c1401903489f7d0c55a22d7fa996c7f303e3 fix referenced above from 7 days ago, should cover the 'editing' side of the equation but the "view" side is controlled by the Lava template that the block is configured to use. For that the Lava template editor would need to decide which attributes they want to show or not show. This is mentioned in the Attribute Filters document here: https://community.rockrms.com/lava/filters/attribute-filters
@nairdo I left that at the default setting, as in this image here:
I think I'm still missing something. I am not seeing where I have the ability to edit (with Lava) which GroupMember attributes appear on the Group Member Edit page.
As I look at this on the demo site (v14.0), this is what I am seeing:
A person who does not have View or Edit permissions cannot view the attribute. (This is correct) A person who has both View and Edit permissions, can view and edit the attribute. (This is correct) A person who has only View permissions cannot view the attribute at all. (This seems to me to be incorrect. If I set View permissions, but not edit permissions, I should be able to view and not edit it.)
Thanks @mikedotmundy As for "editing" attribute values -- yes, that is (was) an issue which should have been recently fixed via https://github.com/SparkDevNetwork/Rock/commit/6f14c1401903489f7d0c55a22d7fa996c7f303e3
Which you can now see on the pre-alpha site:
