New users (no rights) can view tasks

[rvorias]

I'm hosting a cvat server and when I create a new user account via the login page, the new user has direct access to the existing tasks: it sees the list of tasks and can even export the annotations.

The documentation says:

You can register a user but by default it will not have rights even to view
list of tasks.

Can someone verify if this is broken? Atm it makes my cvat server unusable.

View from newly made user

View from admin panel

[Panda2Chang]

I modify https://github.com/opencv/cvat/blob/develop/cvat/apps/authentication/auth.py#L196
to :

• def has_permission(self, request, view):

•    return request.user.has_perm("engine.task.access")
  

It work,but I do not know have any side-effect for this moodify

[anderflash]

Hi,
Related to this issue, an annotator can't be allowed to see the "Create Task" button and can't have access to the 'create task' screen, since it shows the complete server share (by clicking on its tab) with all the images, a security issue.

[BlueNotesRobot]

I figured new users can see all tasks which have not yet been assigned. To deal with that I created a new user called "unassigned".
Whenever I create a new task, I assign it to that user and then new users cannot see it.

[azhavoro]

At the moment as workaround is possible to set reduce_task_visibility variable to True here https://github.com/opencv/cvat/blob/develop/cvat/settings/base.py#L424 to remove public access to unassigned tasks. The new permission system will be introduced in future releases.

[leeyh20]

Hi would like to know when the permission system will be introduced? :)

[omersefaztrk]

@azhavoro I tried your advice. But it does not work. I set reduce_task_visibility variable as True and ı build cvat with docker-compose up -d. :(

[Crescent-Saturn]

@omersefaztrk , since you modify the source code, you need to build the CVAT with docker-compose.dev.yml file.
You can refer to this #1283 for more details, especially this reply, good luck!