You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When viewing the attendance history for a person, if they have been added to that the current user is not authorized to view, they can still see that the user was added to that group. This is a sensitive issue for people who may be attending a recovery-type group or other care-focused groups.
Expected Behavior
Because the member we impersonate is not in the Rock Administration role, they should not see that the new member was added to the care/recovery group.
Actual Behavior
The none admin can see that the new member was added to a recovery/care group.
Steps to Reproduce
Go to a site running Rock McKinley 14.1 (1.14.1.1).
Create a new member and add them to a group that has a security set where only an admin security role can view."
Impersonate any other member that can see the history section on a person's profile page but not the group
As this person, view the history tab on the new member you created on step 3's profile
Rock Version
Rock McKinley 14.1 (1.14.1.1)
Client Culture Setting
Client Culture Setting: en-US
The text was updated successfully, but these errors were encountered:
Note that this issue is not just a duplicate of #5043. The issue remains for Group Security but it is also an issue with Attendance as attendance in those groups may be displayed as well.
@Kwame-Agyei would a practical work around for earlier versions prior to v16.1 be to use the Person History block under the category CRM > Person Detail? (and then secure the History Log block until v16.1)
Well, the PersonHistory block is now considered outdated and hasn't been updated for quite some time. It basically serves the same function as the HistoryLog block on the Person history page, but there's a chance it might have bugs. If you plan to switch to it, we would advise you to make sure to set a reminder to remove or replace the block once you upgrade to v16.1.
Please go through all the tasks below
Please provide a brief description of the problem. Please do not forget to attach the relevant screenshots from your side.
Similar to #5043 & #5043.
When viewing the attendance history for a person, if they have been added to that the current user is not authorized to view, they can still see that the user was added to that group. This is a sensitive issue for people who may be attending a recovery-type group or other care-focused groups.
Expected Behavior
Because the member we impersonate is not in the Rock Administration role, they should not see that the new member was added to the care/recovery group.
Actual Behavior
The none admin can see that the new member was added to a recovery/care group.
Steps to Reproduce
Rock Version
Rock McKinley 14.1 (1.14.1.1)
Client Culture Setting
Client Culture Setting: en-US
The text was updated successfully, but these errors were encountered: