Idea ID: 2797422

Change "Remove" button that allows operator to delete all views from the system

Status : Declined
over 1 year ago

Hello,

I suggest to change behavior of "Remove" button displayed by display option "view.define_remove".

When operator does not have permission to any view he can removes all the views from the system without administrator rights. This should not be possible. As far I know this bug exists in Service Manager since 9.34 version. I uploaded attachment with "Remove" button.

I created a service request for this but because this functionality is "hard coded", support could not fix this.

Below you have example steps to reproduce an error on "cm3t" table (The "cm3t" table is only an example. The same issue exists on every table where you don't have any views):

1. Choose an operator with role which doesn't have permission to any view on cm3t table.
2. Log in to index.do
2. Go to: "Change mamangent -> Task Queue". In my environment system displays message: "No records selected from inbox file using query: ( null(report.disabled) or report.disabled=false ) and inbox.type="cm3t" and (inbox.class="classList" or inbox.class="classView") and (operator.name="PLK003879" or operator.name="%NONE%" and (audience.type="everyone" or (audience.type="groups" and groups isin {"Operator", "PLK003879"}) or (audience.type="assignmentgroups" and assignment.groups isin {}) or (audience.type="role" and role="Operator"))) Or a field is invalid."
3. Press button: "More -> Define Views". System shows button "Remove". It shouldn't be here.
4. When you press "Remove", system will remove all the views from your system. Not only views from "cm3t" table but views based on all tables.

 

Tags: