New user, some questions

Community Support for Booked Scheduler
Post Reply
Posts: 2
Joined: Mon Sep 21, 2020 7:25 am

New user, some questions

Post by JayKidd20 »

I am a new user of booked. I have encountered some problems during my first couple of installation/manage attempts. Would very much appreciate some pointers from the community.

my setup: booked 2.8.4, Apache/MySQL/CentOS 6. With email activation/self register.

First, let me explain some of my security concerns

1) After I publish a resource calendar, one can use the Monitor-Display-Page to book the resource without providing any password. The booking will be marked as a hard-coded string "ad hoc meeting". Is this the intended behavier or there're some related settings that I missed.

2) Under the "User" page, one can freely update their own "userid" or "email", which made me feel uncomfortable. If the "Admin Email" address in config.php happens to be unused, anyone can update their email address to elevate their role to application admin. Even change your own userid at will seems unsafe to me. I understand this wouldn't be a problem after I swiched the system to LDAP authentication, but I would feel much safer if these two attributes are unchangeable.

3) An user belongs to a group with "Group Admin" role. Can update group member's user profile, including password. This sound ok, but the admin can add any user into his group. In fact, he can create a new group, which can be set to "automatically grant group membership" hence the user will become group admin to every single one user in the system. The end result is that, the group admin can update anything inside any user's profile (including password), let alone making bookings in their name. I seriously doubt this is the intended feature. I actually changed the application admin's profile using a group admin's account which have only an empty group at the beginning.

Post Reply