New idea

Restrict deletion of entire iSheet record subject to user groups' "view only" permission on certain columns

Context

It has come to our attention recently that the logic currently followed by iSheet permissions is somewhat counter-intuitive with regards to users' ability to delete iSheet records despite not having permission to edit some columns contained within that record.

It does not make logical sense that a user group which has been restricted from editing certain values in an iSheet record should have permission to effectively delete those values, alongside everything else in the record; this contradicts the logic behind removing their permission to edit those certain values. 

It is currently true that a user with no edit permissions on any columns does not have the ability to delete records, but changing just one column permission to edit will allow this to happen.

Proposal

We propose a solution whereby the delete permission is isolated, in a similar fashion to the files module permission setup, such that specific user groups can be granted explicit "Delete" permission for a given iSheet record.

Alternatively, or in addition to, perhaps a user group with "edit" permissions for all columns in an iSheet would be the only group/s assumed to be able to delete records; any groups without full "edit" permissions on all columns would be unable to delete records.

George Dempsey

  • I agree and support George's submission for consideration by the development team. Given the security that HighQ collaborate enforces on most of the modules this one appears to have been overlooked. Rather than only being able to delete a row if you have edit permission to all the contained fields in the row, currently you only need edit/view permission to one field to delete the entire row.
    This came to light in a service level tracking application where we used an isheet to log various details about issues raised. We exposed a limited set of fields to the external user for comment and discovered that they were able to delete the entire row which included data not visible to them.
    There should be some restriction which disables the deletion of a row unless you have unfettered access to all fields contained in it.

  •

    As a further update to the above, it would appear that even with no permissions assigned to edit on any columns within the iSheet, users are still able to delete iSheet rows. This is contradictory to one of my context statements above.