-
-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Timesheet entries marked as exported by users without permission #4679
Comments
??? You allow to switch the export flag and then open a bug that the export flag can be switched? These are dangerous permissions: create_export, export_other_timesheet, export_own_timesheet |
Hi Kevin I just see the difference between Kimai 1 and 2 where I think, in Kimai 1 the "mark as exported" checkbox is by default disabled and in Kimai 2 it is by default enabled. Anyhow, the standard user without edit_export_* permissions doesn't see this option, therefore it was never a problem in the past - there was no way for a standard user to change the export flag. I'd wish that a standard user can create an export from the export menu but without changing the export flag. One option could be to not include the permission to change the exported flag into create_export and add it as a separate permission. |
Duplicate of #4339
It was never meant to be used by regular users. But anyway: I understand! Can you post your comment in the older issue please (and vote for it). |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please share your experience with the community and leave a testimonial to support Kimai. |
Describe the issue
For normal users we have following roles disabled: edit_exported_timesheet, edit_export_other_timesheet, edit_export_own_timesheet.
That normal user however, is intentionally allowed to export own and other timesheets (create_export, export_other_timesheet, export_own_timesheet are allowed).
Although the user should not be able to edit the export settings, after export those timesheet entries are marked as exported.
Additionally, there is no entry in the audit log about this change. Only manual changes of the timesheet entry are logged.
I already tried
Kimai version
2.12.0
How do you run Kimai?
Virtual Server or alike
Which PHP version are you using?
8.1
Logfile
No response
Screenshots
No response
The text was updated successfully, but these errors were encountered: