I got a complaint from a parent today that they could no longer send messages to the unit, so I looked at the underlying permissions.
It looks like for any adult who is not a leader or a former leader of any unit, i.e., they have never had anything but a parent connection, all of their connections with all scouts except their own children were severed, even the ‘View Profile’ permission. So I now have over 7500 ‘View Profile’ permissions to restore…
Even worse, attempting to restore ‘View Profile’ is giving them ‘View Advancement’ instead.
Joe,
These connections should only have been changed to View Profile or View Advancement. The easiest way you can restore this is with the Permissions By Position function of the the volunteer written and supported Feature Assistant Extension for Scoutbook for Chrome and Firefox. See Feature Assistant - What is it? for details on the extension.
Another way to restore them quickly is to use Connection Manager then click on the parent name. Due to a bug, parents will be given View Advancement to all Scouts even if you only select View Profile.
I cannot restore to View Profile. Now permissions are stuck on View Advancement.
This would seem to me to be a priority 1 security bug that should be addressed ASAP.
Allowing parents to see other youth advancement is not considered a security issue. Anyone can typically look at a Scout’s uniform and see what advancement has been earned.
I beg to differ. You can see a lot more than the array of badges earned.
You can access advancement in progress, notes, etc.
The person already has access to first name last initial. Advancement is not PII or private. As it was said, you can look at their uniform or hear progress at a Court of Honor.
So in your opinion, it would not be a problem for someone to pickup a Scout’s physical handbook (not their own child) and start looking through their advancement signoffs without their permission? On top of that, they can look through the personal notes between the scout and MB counselors and other leaders? And look at photos, and documents the scout has uploaded attached to their advancement activity?
It would be fine if the permission was limited to showing the display of ranks and awards earned, but it goes well beyond that.
I do not think it is a “priority 1 bug”. It is not PII. It is also not world readable, only to parents in the unit, no?
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
© 2019 Boy Scouts of America - All Rights Reserved
