Sharing permissions can be edited by added users (not owner/admin)

Good day,

I wanted to recognize a bug in the sharing feature of kobotoolbox which enables added users other than the owner(admin) of the project to customize the permissions of the users. I was wondering if this is something people have noticed or observed as well. Please fix this bug soon to prevent any data from being compromised.

Hi @ahs41510,

Welcome to the community! Kindly please be informed that user’s having the Edit and delete submissions permission should only have access to edit or delete your submissions. You could control the user’s permissions by providing only View submissions or Add submissions if you think providing full access should be risky to your project data.

Have a great day!

Hello @Kal_Lam,

Thank you for replying to my thread! I understand the limitations an added user is supposed to have on a project. Although, take a look at the screenshot that I have below. My alternate account was added to one of the project I created for the purpose of specified viewing of submissions. I would normally log into the owner account to change the permissions but this time around I failed to recognize that I have not logged out of the account. I decided to try and change my own permissions and I was shocked to see that I was able to.

Let me know what you think.

Hi @ahs41510,

Thank you for flagging up this issue. Kindly please be informed that i could reproduce this at my end and have also informed the developers about the same.

Please do let us know, if there is any in the upcoming days too.

Have a great day!