Timesheet entries marked as exported by users without permission

[rbuehler-teletrend]

Describe the issue

For normal users we have following roles disabled: edit_exported_timesheet, edit_export_other_timesheet, edit_export_own_timesheet.
That normal user however, is intentionally allowed to export own and other timesheets (create_export, export_other_timesheet, export_own_timesheet are allowed).

Although the user should not be able to edit the export settings, after export those timesheet entries are marked as exported.
Additionally, there is no entry in the audit log about this change. Only manual changes of the timesheet entry are logged.

I already tried

• I've read and searched the documentation.
• I've searched for similar issues in this repository.
• I've searched for similar issues in the discussions.

Kimai version

2.12.0

How do you run Kimai?

Virtual Server or alike

Which PHP version are you using?

8.1

Logfile

No response

Screenshots

No response

[kevinpapst]

???

You allow to switch the export flag and then open a bug that the export flag can be switched?

These are dangerous permissions: create_export, export_other_timesheet, export_own_timesheet

[rbuehler-teletrend]

Hi Kevin

I just see the difference between Kimai 1 and 2 where I think, in Kimai 1 the "mark as exported" checkbox is by default disabled and in Kimai 2 it is by default enabled. Anyhow, the standard user without edit_export_* permissions doesn't see this option, therefore it was never a problem in the past - there was no way for a standard user to change the export flag.

I'd wish that a standard user can create an export from the export menu but without changing the export flag.
This was / would be useful, if a standard user wants to give an overview to a customer about the progress of a project.
Yes, you could do that through the export of timesheets if export_*_timesheet permissions are given. It even doesn't change the export flag.
But here the possibilities to export are limited and you can't select from various (even custom) PDF's for example.

One option could be to not include the permission to change the exported flag into create_export and add it as a separate permission.
Or to change the default in the export menu back to not mark as exported.
If this default is defined somewhere in the database, I would also be happy to know where to change it.

[kevinpapst]

Duplicate of #4339

I'd wish that a standard user can create an export from the export menu but without changing the export flag.

It was never meant to be used by regular users. But anyway: I understand!

Can you post your comment in the older issue please (and vote for it).

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please share your experience with the community and leave a testimonial to support Kimai.