I created a normal users, with no 'Technical Features' access rights granted. I logged in with this user, and opened some screen.
Now I logged in using the admin user, opened the 'users' list view and got the 'action' # from the url of this view,
From the user's url I changed the action # of the current view to be 76 same as that of the 'users' list view.
The user, which has no access rights to the 'Technical Features' was able to see the 'users' list view
Moreover, he can access groups and other technical features by changing the action id from the url
I don't need this user to see these data.
How to prevent this behavior or work around it?
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 4/25/16, 6:02 AM|
|Seen: 348 times|
|Last updated: 5/12/16, 3:06 AM|