Security Problem or not?

Fragen, Vorschläge, Anforderungen, Diskussion zu Untis MultiUser
Antworten
p.vanmeel
Beiträge: 10
Registriert: 15. Juli 2008, 08:11

Security Problem or not?

Beitrag von p.vanmeel » 13. Februar 2009, 15:17

Hello,
I think I have found a security problem in Untis2008 MultiUser and 2009.
I'll explain it.

In our database I've defined 5 schools. One of the users has permissions to make (and delete) schoolyears and versions in 1 school. So he doesn't have the permission to do this in the other 4 schools or to logon on to the other 4 schools.
When the logon-screen appears and the user selects one of the other 4 schools, where he does not have any permissions, and clicks "Versies beheren" (In Englisch I guess "Manage Versions"), then he can delete al of the versions. The samen happens when he does this with schoolyears.

Is this a security problem?

Hope to hear soon from you.
Regards. Paul van Meel

Benutzeravatar
gg
Untis GmbH
Beiträge: 633
Registriert: 28. Juni 2006, 09:47
Wohnort: Gruber & Petters

Beitrag von gg » 17. Februar 2009, 07:44

You're right, that's not consistent. We will take care about it.

Regards,
Günter Gerstbrein

p.vanmeel
Beiträge: 10
Registriert: 15. Juli 2008, 08:11

Beitrag von p.vanmeel » 17. Februar 2009, 08:21

Thanks!

Benutzeravatar
gg
Untis GmbH
Beiträge: 633
Registriert: 28. Juni 2006, 09:47
Wohnort: Gruber & Petters

Beitrag von gg » 19. Februar 2009, 09:32

Done.

Creating a schoolyear or version now needs (additionally to the right "create schoolyear" / "create version" rights for the superior (meaning you need rights for a certain school to create a schoolyear for it and rights for a certain schoolyear to create a version). Managing the text of a school / schoolyear / version now also requires rights for the actual school / schoolyear / version.

Deleting one of them is now only possible for the "Super"-Administrator (Username "Administrator", who is created automatically and who has all the rights).

If you would tell me, from which country you are, I could contact the distribution partner because of a new update.

p.vanmeel
Beiträge: 10
Registriert: 15. Juli 2008, 08:11

Beitrag von p.vanmeel » 19. Februar 2009, 10:49

Thanks for the quick response.
I'm from The Netherlands.

Regards. Paul.

Antworten