Operators can see username of customers even if username is not visible to users

Bug and problem reporting on Cyclos 4 version

Moderators: hugo, alexandre, rmvanarkel

Post Reply
jar
Posts: 97
Joined: Mon Apr 20, 2015 8:55 am

Operators can see username of customers even if username is not visible to users

Post by jar » Tue Aug 13, 2019 9:25 pm

Hi,

In our system, we have username as a private information. We believe that it is more secure this way. So, we created a custom profile field as public account identifier to allow transactions between customers and we do not allow customers to see other customers username.
However,and this is the bug, if a user creates an operator, the operator can see the username of other customers and it shouldn't.

Another issue that we found is that operators are not limited to see the groups that we have limited to the user (father of operator). Operators can see all users of all groups! This is another bug.
We are using Cyclos 4.11.5.
Thanks for your kind attention.
Best regards,

JAR

alexandre
Posts: 837
Joined: Wed Sep 06, 2006 9:06 am

Re: Operators can see username of customers even if username is not visible to users

Post by alexandre » Wed Aug 14, 2019 11:41 am

Hi,

I cannot reproduce this problem. Please check if you don't have another product that are granting extra permissions to this users. You can check the final/active user permission from the product link at the view user profile (logged as admin). This way you can review the effective user permissions.

If you review and the problem persists, send a database dump to info@cyclos.org, then we can debug to check the problem.

regards
Alexandre Caurrinhos
Cyclos development team.

jar
Posts: 97
Joined: Mon Apr 20, 2015 8:55 am

Re: Operators can see username of customers even if username is not visible to users

Post by jar » Thu Aug 15, 2019 10:49 am

Hi,

We do not have a product granting other permissions to users. The user (father of operator) can see near 3.000 customers. The operator of that user can see 7000 customers.
Thanks for your kind attention.
Best regards,

JAR

alexandre
Posts: 837
Joined: Wed Sep 06, 2006 9:06 am

Re: Operators can see username of customers even if username is not visible to users

Post by alexandre » Thu Aug 15, 2019 10:51 am

Hi,

Send a database dump to info@cyclos.org
Alexandre Caurrinhos
Cyclos development team.

jar
Posts: 97
Joined: Mon Apr 20, 2015 8:55 am

Re: Operators can see username of customers even if username is not visible to users

Post by jar » Thu Aug 22, 2019 12:03 pm

Hi Alexandre,

We cannot send database, because of GDPR rules. We have this problem in productive instance of Cyclos. We cannot send personal data outside European Union.
However, we analysed the issue and we discovered the cause.

So, the problem is:
1. an operator can see profile fields of other users that it's father user (= user that created the operator) cannot see;
2. an operator can change other users addresses, if the user address is private;
3. an operator can change phone number and address of user that created the operator.

The cause of this was the user that created the operator had a user product and a broker product.
After deleting the broker product from the user that created the operator, those problems disappeared.
This user was created as a normal user and then we added a broker product (in the past this was possible). Now, that we deleted the broker product, we cannot add a broker product to that user.

So, we solved this issue to some of our customers (by simply deleting their broker product).

However, we have brokers that have operators and operators shouldn't be able to manage this data. So, it would be good to be able to specify which data an operator of a broker could manage.

The other issue that we had was the ability of users seeing more users than the user should see. That was an additional product that was with a bad configuration. It is also solved.
Thanks for your kind attention.
Best regards,

JAR

alexandre
Posts: 837
Joined: Wed Sep 06, 2006 9:06 am

Re: Operators can see username of customers even if username is not visible to users

Post by alexandre » Fri Aug 23, 2019 5:16 pm

Hi,

We will fix these problems on the next version (4.12.2).

Thanks for report.

regards
Alexandre Caurrinhos
Cyclos development team.

Post Reply