Project

General

Profile

Bug #3454

Acknowledge all notices is presented to users who do not have privilege

Added by Phillip Davis about 3 years ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Dashboard
Target version:
Start date:
02/15/2014
Due date:
% Done:

100%

Affected version:
2.1
Affected Architecture:

Description

I have local users that are just for OpenVPN authentication. They just have access to the System: User Password page, so they can change their password as needed. I was changing this for myself, and happened to get a system notice about AutoConfigBackup (not particularly relevant what the notice is). It gave me the "Acknowledge All Notices" prompt. When I clicked on it, the notices area on the top-right blanked out, but was not replaced by the usual bit with the name of the router, and some error message was displayed, of which I could see just the last line - "document.location.href = 'https://nco-rt-01.net.inf.org//system_usermanager_passwordmg.php';" - see the screen shot.
The notice does not get acknowledged, because I suppose the user does not have the privilege to acknowledge notices.
Possible solution: only present the "Acknowledge" button to users that have enough privilege to use it.
Also think about whether to even present the "Unread notices" at all to users with restricted privs. Certainly for users that have just the change password page, then I don't really want them to see system notices. But users with "view all" privs I do want to see system notices, but they may not be able to acknowledge them - what are the real requirements for that?

UserPassword.png (32.4 KB) Phillip Davis, 02/15/2014 11:12 PM

Associated revisions

Revision fe80b3aa
Added by Phillip Davis 3 months ago

Fix #3454 Do not show Mark All as Read button when no priv

If the user does not have access to index.php then the "Mark All as Read" button for the notices popup does not work for them anyway, so do not show it.
This fixes the obvious UI inconsistency - where the user has a button that they press, but it is not effective.

Revision ea4f5252
Added by Phillip Davis 3 months ago

Fix #3454 Do not show Mark All as Read button when no priv

If the user does not have access to index.php then the "Mark All as Read" button for the notices popup does not work for them anyway, so do not show it.
This fixes the obvious UI inconsistency - where the user has a button that they press, but it is not effective.
(cherry picked from commit fe80b3aac6ddd661c7a2daf52ad54f1722915590)

History

#1 Updated by Phillip Davis 3 months ago

Bug fix PR https://github.com/pfsense/pfsense/pull/3319

I will raise another feature issue to discuss what could be done for users who maybe should not be able to see and/or clear notices.

#2 Updated by Phillip Davis 3 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Phillip Davis 3 months ago

The changes here fix this bug report.
For a followon feature request to implement control of view/clear notices see:
https://redmine.pfsense.org/issues/7051

#4 Updated by Renato Botelho 3 months ago

  • Status changed from Feedback to Resolved

#5 Updated by Jim Pingle about 1 month ago

  • Target version set to 2.3.3

Also available in: Atom PDF