View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|16978||Bug reports||User / Groups / Roles||public||2021-01-15 12:17||2021-03-19 22:30|
|Summary||16978: Create users and manage a group - confidentiality|
|Description||Create users and manage a group|
The admin create two users:
1.a user (UB) with the following rights:
create users (all rights)
create groups (all rights)
2. a UC user with the unique right to create questionnaires.
User UB creates 2 accounts: UB1 and UB2
The UB user who has all the rights to group management and who is not admin, can add the UB1 and UB2 accounts, but also all the accounts that have not been created by him (UC and admin)
He will not be able to delete the UC and admin accounts, even if he has all the rights for the management of his group.
There is the confidentiality issue if we do not want UB to see all the user accounts present in our installation of LimeSurvey.
In my case, I have over 400 accounts and you never know.
I did my tests on the demo site which is in V4.3.33, but I have the problem in V3.
Here is the link on the forum for managing users and groups.
I also have the problem on users:
We take the case of UB which has all rights.
UB can display a list of all users of the LimeSurvey installation. He can only act on those he created, but it is annoying to see all the other users.
|Steps To Reproduce||Go to limesurvey demo|
create a user with all permission for user and group
connect with this user
list all user --> you see all user
create two user
create a group
add user --> you see all user.
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||LimeSurvey Version 4.3.33|
|I will donate to the project if issue is resolved||No|
|Database & DB-Version||mysql ? demo site - me postgres 10|
|Server OS (if known)|
|Webserver software & version (if known)|
|PHP Version||php demo site|
|This issue is interesting for us, too!|
|So the issue is that user UB can see all users in the user list, even the ones he does not own?|
Though I didn't originally post this issue and hope not to interfere with riqcles - yes, this is exactly our point!
Although I admit that I cannot see at the moment how users' visibility to others could be managed to solve the issue. Mail domains are probably the only possible characteristic to filter by. But this would be only partly useful as sometimes users from different institutions or mail providers need to cooperate in a certain group or on a certain survey.
It would be marvellous if someone could come up with a good solution!
It's the purpose of "Group member can only see own group" , no ?
Except for superadmin.
|As I understand it, user with the right to add or delete other users from a group should only see certain users and not all. @riqcles, am I right?|
... sorry, reading the description again: I think it is "user with the right to add or delete other users from a group should only see users created by himself/herself."
Which would help us probably, too.
Yes, UB must see only user create by him (in this example UB1 UB2 and UB ! )
and UB1 can only see UB1 and not the other.
For the group, it's the same :
UB must see only UB1 and UB2
|2021-01-15 12:17||riqcles||New Issue|
|2021-01-15 12:17||riqcles||File Added: 4.png|
|2021-01-15 12:17||riqcles||File Added: 0_1.png|
|2021-01-15 12:17||riqcles||File Added: 1.png|
|2021-01-15 12:17||riqcles||File Added: 3.png|
|2021-03-15 10:09||gwdgls||Note Added: 63356|
|2021-03-18 16:00||c_schmitz||Note Added: 63440|
|2021-03-19 07:24||c_schmitz||Assigned To||=> c_schmitz|
|2021-03-19 07:24||c_schmitz||Status||new => feedback|
|2021-03-19 10:56||gwdgls||Note Added: 63466|
|2021-03-19 10:58||DenisChenu||Note Added: 63468|
|2021-03-19 11:01||gwdgls||Note Added: 63469|
|2021-03-19 11:04||gwdgls||Note Added: 63470|
|2021-03-19 22:30||riqcles||Note Added: 63491|
|2021-03-19 22:30||riqcles||Status||feedback => assigned|