View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
18742Feature requestsUser / Groups / Rolespublic2023-04-12 18:522023-05-17 15:13
ReporterValerio_Bozzolan Assigned Toollehar  
PrioritynoneSeverityfeature 
Status closedResolutionfixed 
Summary18742: GDPR: Allow Read-Only "User Admins" to read User Role Names
Description

PREAMBLE
The GPDR imposes a principle of minimization of data processing.
Fortunately, LimeSurvey has a very versatile and flexible set of privileges indeed.

For example:

  • you can create users that can only see in Read-only all other Users
  • you can create users that can only see in Read-only all the Surveys

These roles are useful, since they are not necessarily super-administrators.

DESCRIPTION OF THE PROBLEM
But, at the moment the page "Users List" has some columns that are ONLY visible to Super Admins (probably without much reasons):

  • "User Roles": names of the Roles assigned to an User
  • "User Groups": names of the Groups assigned to an User
  • "Number of surveys": just a count of the Surveys created by that User

The fact that these basic info are visible only to Super Admins, probably means the current implementation is somehow too much restrictive and could be improved.

PROPOSED SOLUTION
This is a reasonable secure compromise:

  • "User Roles": show also to Administrators of Users (this information is really useful to people in charge of keeping an eye on who has permissions, like a GDPR consultant)
  • "User Groups": show also to Administrators of Users (same as above)
  • "Number of surveys": show also to Administrators of Users that are also Administrators of Surveys (since this is an information that an user with both these privileges can already surely know)

The last one is still strict, even if it's also a wider default than the current one, so probably it's a better compromise, but that can of course be improved in the future.

TagsNo tags attached.
Bug heat6
Story point estimate1
Users affected %10

Users monitoring this issue

There are no users monitoring this issue.

Activities

Valerio_Bozzolan

Valerio_Bozzolan

2023-04-12 19:13

reporter   ~74484

Here my related pull request:

https://github.com/LimeSurvey/LimeSurvey/pull/3048
DenisChenu

DenisChenu

2023-04-13 11:46

developer   ~74485

I never use roles

About other : seems OK,
Except the potential issue about usercontrolSameGroupPolicy
https://manual.limesurvey.org/Global_settings#Security
tibor.pacalat

tibor.pacalat

2023-05-17 15:13

administrator   ~75033

Tested and merged.

Issue History

Date Modified Username Field Change
2023-04-12 18:52 Valerio_Bozzolan New Issue
2023-04-12 19:13 Valerio_Bozzolan Note Added: 74484
2023-04-12 19:13 Valerio_Bozzolan Bug heat 0 => 2
2023-04-13 11:46 DenisChenu Assigned To => ollehar
2023-04-13 11:46 DenisChenu Status new => feedback
2023-04-13 11:46 DenisChenu Note Added: 74485
2023-04-13 11:46 DenisChenu Bug heat 2 => 4
2023-05-17 15:13 tibor.pacalat Status feedback => closed
2023-05-17 15:13 tibor.pacalat Resolution open => fixed
2023-05-17 15:13 tibor.pacalat Note Added: 75033
2023-05-17 15:13 tibor.pacalat Bug heat 4 => 6