-
Bug
-
Resolution: Fixed
-
Low
-
Mindville - Pre Bundled, 4.18.1, Insight 8.7.12, 4.20.11
-
8
-
Severity 2 - Major
-
5
-
Issue Summary
Originally reported as https://jira.mindville.com/browse/ICS-1091
Although the Object Picker can be disabled from the Portal in the CF configuration - if Enabled, it exposes All Object Attribute (at a User Role level) even to Customers, as they can expand the available Object.
We might want to disable "Expanding" the Object for Customers, who are not Jira / Object Users - so they can only see the Label when selecting from the Object Picker.
The Object Picker exposing Objects should be Noted better in our Documentation
// Additionally - it seems that the Portal User (External customer and not a Jira User) is affected by the Object Type "Developer" Role only - if this specific role is populated, the Customer will not see Hidden Attributes (regardless of other Schema / Object Type Roles)
Steps to Reproduce
- Enable Object picker on an Insight CF
- Enable Customer portal for JSM customers on the object schema
- Mark an object attribute as "hidden"
Expected Results
Portal-only users should not be able to see hidden attributes on the object picker in customer portal
Actual Results
All attributes, including the hidden ones, are visible
Workaround
- Ensure that the hidden attribute(s) is not selected in the "Filter objects with attributes" option in the custom field configuration
- Possibly we can disable Object picker on the CF configuration. However, this doesn't fully solve the issue
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
It's almost 2024 problem still persists (even in DC)
Furthermore: by using the "view Graph" option and increasing the references depth, you can even navigate the full object schema, if objects are linked.
I would call that a data breach...
Please make the JSM customers follow the normal user permissions in Assets!!!
The only workaround so far: