Uploaded image for project: 'Plugins'
  1. Plugins
  2. CONTRIB-3120

User B (non admin) can book over User A's booking

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • 2.0
    • Block: Mrbs
    • None
    • MOODLE_20_STABLE

      In short, to steal someone's booking, you just have to click on any blank spot, then change the date, time and room to the booking you want to steal, click save changes and MRBS Moodle 2.0 allows you to do it.

      DETAILS ON HOW TO DUPLICATE BUG
      I create two users in Moodle 2.0 both as MRBS schedulers. With User A, I book a room - Say Monday Period 1. Then I log in with User B and I see User A's booking. When I click on the booking, I cannot remove the booking - so far so good. But if I click to book on another OPEN slot, the booking form comes up and in that form, if I change the date to Monday Period 1 (same room), then click on save changes at the bottom, I will actually overwwrite User A's booking! Now when I log back in with User A, I see my booking is now gone and changed to User B. So User B stole my booking!

      I tried this "sneaky trick" on the MRBS demo site and when I clicked "save changes" there, it said I couldn't create that booking because that spot was already booked by User A.

            davosmith Davo Smith
            cardosoc Chris Cardoso
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.