Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug for ADA: the 4 fields (Name, Email, Institution, Position) for guestbooks are editable for logged in users #10625

Open
mdmADA opened this issue Jun 12, 2024 · 1 comment
Open

Bug for ADA: the 4 fields (Name, Email, Institution, Position) for guestbooks are editable for logged in users #10625

mdmADA opened this issue Jun 12, 2024 · 1 comment
Labels
Type: Bug a defect UX & UI: Design This issue needs input on the design of the UI and from the product owner

Comments

@mdmADA
Copy link
Contributor

mdmADA commented Jun 12, 2024
edited by jggautier
Loading

What steps does it take to reproduce the issue?

  • Create a a dataset with at least 1 restricted file and allow access request.
  • Create the guestbook for this dataset and include any or all of the 4 authenticateduser details: Name, Email, Institution, Position in the guestbook.
  • Set the guestbook to appear at request (also happens when they download but the gb at request is ADA's primary workflow).
  • Login as a regular user that will be able to request access.
  • Go to the dataset and click 'request access' for the file.
  • The guestbook pops up.
  • The 4 fields are editable. Add any values to the fields that you like.

When does this issue occur?
With every guestbook.

Which page(s) does it occurs on?
All datasets that have a guestbook.

What happens?
See description of steps.
Being able to add any value to these 4 fields means the requesting user can spoof who they are and requires extra verification by the people evaluating the access request.

To whom does it occur (all users, curators, superusers)?
All users who enter guestbook values. All access request managers who need to evaluate the guestbook entries.

What did you expect to happen?
I expected that for a logged in user, that the values for the 4 fields would be pulled from the authenticateduser table, and be non-editable (especially for email address, which should be verified by the requesting user).

As the person setting up the guestbook, I would like to be able to specify these field values need to be pulled from the authenticateduser table and that they can't be edited.

ADA would want this to be an installation-wide setting but more flexibility (dataverse level, dataset level) may be useful at some point, and/or for other Dataverse installations.

Which version of Dataverse are you using?
6.2

Any related open or closed issues to this bug report?
Not that I can find.
@mdmADA mdmADA added the Type: Bug a defect label Jun 12, 2024
@mdmADA mdmADA changed the title Bug for ADA: the 4 authenticateduser fields (Name, Email, Institution, Position) for guestbooks are editable for logged in users Bug for ADA: the 4 fields (Name, Email, Institution, Position) for guestbooks are editable for logged in users Jun 12, 2024
@cmbz
Copy link

cmbz commented Jun 24, 2024
edited by jggautier
Loading

@mdmADA

Recommendation:

@cmbz cmbz added the UX & UI: Design This issue needs input on the design of the UI and from the product owner label Jun 24, 2024
@jggautier jggautier mentioned this issue Jun 25, 2024
Open
@qqmyers qqmyers mentioned this issue Jul 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug a defect UX & UI: Design This issue needs input on the design of the UI and from the product owner
Projects
Recherche Data Gouv
Status: 🔍 Interest
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cmbz @mdmADA