This site uses cookies. By continuing to browse the site, you agree to our use of cookies. Find out more about cookies.
Skip to main content
Metadecidim's official logo
  • English Triar la llengua Elegir el idioma Choose language
    • Català
    • Castellano
Sign Up Sign In
  • Home
  • Processes
  • Assemblies
  • Initiatives
  • Consultations
  • Conferences
  • Help

Report a Bug

#BugReportDecidim Let's test Decidim and report bugs together

  • The process
  • I found a Bug!
chevron-left Back to list

Searching a private content can be possible not being a allowed user to that content

Avatar: Gian Luca Corso Gian Luca Corso
16/07/2019 12:31  
Withdrawn

As an authenticated user I can search, using the search bar in the top bar, a content of a private process and the result of the search is visible also to users not allowed to see that content which is not good. Can you please check?

  • Filter results for category: 0.17.X 0.17.X
Reference: MDC-PROP-2019-07-14704
Version number 1 (of 1) see other versions
Check fingerprint

Fingerprint

The piece of text below is a shortened, hashed representation of this content. It's useful to ensure the content hasn't been tampered with, as a single modification would result in a totally different value.

Value: 6f20649c80314be92a03874eb8d00d17c546fea8ac34072fb04a119fc7d2eda9

Source: {"body":{"en":"As an authenticated user I can search, using the search bar in the top bar, a content of a private process and the result of the search is visible also to users not allowed to see that content which is not good. Can you please check?"},"title":{"en":"Searching a private content can be possible not being a allowed user to that content "}}

This fingerprint is calculated using a SHA256 hashing algorithm. In order to replicate it yourself, you can use an MD5 calculator online and copy-paste the source data.

Share:

link-intact Share link

Share link:

Please paste this code in your page:

<script src="https://meta.decidim.org/processes/bug-report/f/210/proposals/14704/embed.js"></script>
<noscript><iframe src="https://meta.decidim.org/processes/bug-report/f/210/proposals/14704/embed.html" frameborder="0" scrolling="vertical"></iframe></noscript>

Report inappropriate content

Is this content inappropriate?

Reason

10 comments

Order by:
  • Older
    • Best rated
    • Recent
    • Older
    • Most discussed
Avatar: Pau Parals Pau Parals verified-badge
16/07/2019 14:30
  • Get link Get link
Against  

Hi @JeanLuc_1974. Searching a private content is possible. "Private" means that only "private participants" can participate. The bug will come if it's a no-transparent assembly, which means only private participants can see the content.

Avatar: Gian Luca Corso Gian Luca Corso
18/07/2019 11:38
  • Get link Get link

Hello Pau, thanks a lot for your quick reply. It seems to not work as described by you, or at least this is what I see. To summarize: there is a private process not defined by me and I'm not on the list of private partecipants but I can search and see the private content. I've also made some screenshots to let you see and check if there is something wrong in my approach, let me know how can I let you have them, maybe there is something I'm missing out.

Avatar: Gian Luca Corso Gian Luca Corso
18/07/2019 11:43
  • Get link Get link

...or maybe Administrators are always allowed to see all the private contents?

Conversation with Gian Luca Corso
Avatar: Gian Luca Corso Gian Luca Corso
18/07/2019 14:16
  • Get link Get link

Ok, I've done some more tests.
The result is:
1) Administrators seem to have full visibility to private processes, no matter if they are private participants, and that's good;
2) Users which are not private participants and search for a private content can receive (at least) a result of the search in (at least) a card summarizing the private content. The card has a link which, in this case, is not allowed to take the user to the full content. Now, if possible, our request is, in this case, not to show that card at all.

Avatar: Pau Parals Pau Parals verified-badge
18/07/2019 15:18
  • Get link Get link

Yep @JeanLuc_1974, you are right with 1). What I am not sure is the 2). What I comment in the first comment is, in Decidim, we must differentiate between private and transparent.
Private: Affects participation. No to visualization. That is, a private process is visible to all users, but they can only take participation actions if they are a private user. (
Transparent: Affects the visualization. To visualize a non-transparent assembly, the condition is to be a private user. (it's not possible to make a non-transparent process nowadays)

Avatar: Gian Luca Corso Gian Luca Corso
18/07/2019 15:54
  • Get link Get link

OK, thanks.

Conversation with Carol Romero
Avatar: Carol Romero Carol Romero verified-badge
19/07/2019 10:21
  • Get link Get link

Hi @JeanLuc_1974, sorry that I'm late to reply. You're absolutely right, this is a bug.
To clarify:
- Private processes: only private participants (invited by an admin) can see and participate.
- Transparent processes: only private participants (invited by an admin) can participate and the rest of participants can see (and therefore search).
We'll openan issue in github, thanks for reporting it!

Avatar: Gian Luca Corso Gian Luca Corso
19/07/2019 10:32
  • Get link Get link

OK, thanks :-)

Avatar: Pau Parals Pau Parals verified-badge
19/07/2019 10:35
  • Get link Get link

Hi @carol, currently don't exist transparent processes. That's the problem. What you comment does not coincide with assemblies. If we want to keep the logic:
Private: It affects the participation
Transparent: It affects visualization

Avatar: Carol Romero Carol Romero verified-badge
19/07/2019 11:33
  • Get link Get link

Hi Pau, you're right that for processes there is no option to make them transparent, only assemblies. In any case, and as far as the original report is concerned, the way it works is what I have said for both of them. In the case of being private, only the invited participants can see and participate in those spaces.

Add your comment

Sign in with your account or sign up to add your comment.

Loading comments ...

  • Terms and conditions of use
  • About the community
  • Download Open Data files
  • Metadecidim at Twitter Twitter
  • Metadecidim at Instagram Instagram
  • Metadecidim at YouTube YouTube
  • Metadecidim at GitHub GitHub
Creative Commons License Website made with free software.
Decidim Logo

Confirm

OK Cancel

Please sign in

decidim Sign in with Decidim
Or

Sign up

Forgot your password?