timetracker icon indicating copy to clipboard operation
timetracker copied to clipboard

Published 20 hours ago verified publisher icon mtierltd

Not fully user-separated?

Open LukeLR opened this issue 4 years ago • 9 comments

I just wanted to prepare some demo entries under my admin user for some demo screenshots on the app store, when I noticed that plenty of the projects I created as my regular user were displayed. Furthermore, I changed some of the clients I previously created with my admin user, and now they appeared in my regular user's profile as well!

I'm not sure how this could happen though, as another unprivileged user seems to have a completely separated database. Maybe this was because of the privilege level of the administrator? Can anybody reproduce this?

Thanks a lot, LukeLR

LukeLR avatar Jan 09 '21 23:01 LukeLR

Hello @LukeLR! As far as I use the app, this is a feature so that different users can "join" a project. For me, I can then export by client as multiple users work in projects for the same clients.

alexander-zierhut avatar Jan 13 '21 21:01 alexander-zierhut

I am glad I felt on that issue: I wasn't aware that it was shared by all users. Even in the report section, other users can see what entries I created with the time I spent on them.

That is a big security issue when we use that application on a shared Nextcloud instance.

simonfoilen avatar Jan 16 '21 23:01 simonfoilen

Are you sure not only admins could see the reports of other users? For me, it was a perfect feature.

alexander-zierhut avatar Jan 17 '21 08:01 alexander-zierhut

@provirus There is also a lock feature to lock projects to specific users.
image

alexander-zierhut avatar Jan 17 '21 11:01 alexander-zierhut

It might make sense to have projects be locked by default to the current user.

alexander-zierhut avatar Jan 17 '21 12:01 alexander-zierhut

Hi Alexander,

Yes my "other user" was an admin. I could double-check that any non-admin cannot see. That could reduce the issue, but the issue would still be there considering that a big selling point of Nextcloud is the privacy of the data. When we enable file encryption, even the admins cannot view the files and that is great.

I wasn't using any "client" or "project" ; just tracking time on the main page, so I didn't look at the project's options. I would have to see what is public and not.

One solution to make sure it works well for all use-case (I am a developer, so I know that it is not a simple or quick fix, so I would understand that it might not be a top priority for you), it would be:

  • All tracked time without a project is private to the user
  • A project can have:
  • A list of users or groups that can use the project
  • A list of users or groups that own the project (and can generate report and view details)
  • Same for clients (since clients shouldn't be public as well. I don't know if they currently are. I will take a look)

Thanks for feedback. I will double-check if I can find a way to safely use it for now.

simonfoilen avatar Jan 17 '21 13:01 simonfoilen

I confirm that everything is not public between users ; only the admin can view everything. So, for now, I can use it, but I will have to keep that in mind as a caveat.

cheers

simonfoilen avatar Jan 17 '21 20:01 simonfoilen

@provirus I am only a user of this as well. I have not contributed. But you could always create a PR extending the functionality. I was thinking about creating a PR as well, but more regarding UX of the app.

alexander-zierhut avatar Jan 18 '21 08:01 alexander-zierhut

But you could always create a PR extending the functionality I would love to, but I already have too much on my plate with my other open source projects

simonfoilen avatar Jan 18 '21 12:01 simonfoilen