My problem is, after I removed the « All Tasks » from the user’s menu, if I type the link manually containing the action-view name (« http://localhost:8080/#/ds/team.tasks.all/list/1 » ) in the browser, the user is still able to access the page which I would want to prevent since it shows tasks that are from other companies and projects the user is not involved.
What would be the best way to go around this?
Digging around, I suspect I may need to modify permissions but Im not quite sure how to go about it.
I suspect this is the permission (if this is indeed the right direction) that is involved.
I’ve encounter a similar problem with security from pasting urls in the same way as this. If a url is pasted by a user without the permission to view that particular record or item through clicking via the UI I believe it is possible to access the item.
If I find a solution I’ll be in touch as it might help.
I think the solution could be in refining the permissions further to have more conditions. The problem is I am not too versed in making custom permissions and only have been using the already existing ones. I’m hoping someone who has played around with custom permissions could enlighten us
Apparently I was already staring at the answer the whole time. This is the permission needed to restrict the user to be able to view tasks he is allowed to (if the rule is you can only open tasks wherein youre a project member). Even if you type the link to tasks outside your projects, you wont be able to view them.