-
Fokkema authored
- Submitters have access to the Users object for access sharing. - This access was partially granted in 3.0-16, but the actual security issue was introduced later when the VL was released to submitters, so they could search and sort the access sharing VL. - Certain columns were hidden for security reasons by the access sharing page, but manipulating the VL directly allowed any submitter to get a full list of the LOVD users with full columns. - The columns hidden in the access sharing page are now forced to be hidden in any users VL for submitter level users. - Additionally, hid the username field, and unhid the ID field. - Fixed typo in changelog.txt.
fb9819b8