Security: All data is shown in Widgets
No permissions when displaying widget content - all data from each widget can be displayed, e.g. it is possible to display all calendar events to which you don’t have permissions index.php?module=Home&view=ShowWidget&name=CalendarActivities&type=all
Activity
@nilay.automatesmb This will throw 'Invalid request' error. Can you please add more details on this.
@uma.s it is not that straightforward.
Follow these steps:
- Create non-admin user which does not have permissions for Calendar module, like:
-
As admin user create an upcoming activity, "visibility" does not matter as for non-admin user Calendar module is disabled. I am setting subject as "Admin Activity"
-
Login as non-admin user
-
In the Dashboard add "History" widget. You can see I have access to only few widgets as non-admin:
-
inspect the history widget in developer tools and go to the "refresh" element:
-
Edit the element and change the data-url to "index.php?module=Home&view=ShowWidget&name=CalendarActivities&linkid=57&widgetid=1"
-
Click on the refresh button which will load the upcoming Activities widget in History widget:
-
Click on Min/All filter and select All, it will load the "Admin Activity":
-
@nilay.automatesmb Thanks! for the complete details, will look into this asap.
mentioned in merge request !360 (merged)
mentioned in commit 9b33d4f7
-
@prasad you can reproduce the issue for OverdueActivities widget.
url to be used would be : index.php?module=Home&view=ShowWidget&name=OverdueActivities&linkid=66&widgetid=20&linkid=66&content=data
This is after applying the above fix.
mentioned in merge request !364 (merged)
Status changed to closed by commit df7fb381
