Enroll Existing User

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.
ntorres
Posts: 65
Joined: Thu Nov 17, 2005 1:19 am
Contact:

Enroll Existing User

Postby ntorres » Wed Sep 19, 2007 8:58 am

Hello

When a journal manager link to "Enroll Existing User" from role's page to registry as any role (editor, copyeditor...) in his journal an existing user, he can list all users registered on my ojs site.
This list includes some information (username, name, email) protected by "data protection laws" ... and can show how many users exists... Exists any way to hide this information?


Thanks

asmecher
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm
Contact:

Re: Enroll Existing User

Postby asmecher » Wed Sep 19, 2007 9:28 am

Hi ntorres,

The Journal Manager role is intended to have access to this sort of information, and there are many cases where it's useful and even necessary to allow them to access the complete list of users in the system -- I'm not sure I understand the privacy issue at stake here. Could you describe the situation further?

Regards,
Alec Smecher
Public Knowledge Project Team

ntorres
Posts: 65
Joined: Thu Nov 17, 2005 1:19 am
Contact:

Re: Enroll Existing User

Postby ntorres » Thu Sep 20, 2007 9:38 am

Hello

The privacy statement by default says "The names and email addresses entered in this journal site will be used exclusively for the stated purposes of this journal and will not be made available for any other purpose or to any other party."
But all journal managers (from all journals in ojs) can read this information about registered users (and "sign in as ")
We want jounal manager can not list users registered in other journals. Can it be possible?

Regards,

asmecher
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm
Contact:

Re: Enroll Existing User

Postby asmecher » Thu Sep 20, 2007 10:06 am

Hi ntorres,

Since a single installation of OJS shares user accounts across all journals (which is not the same thing as sharing roles, of course, which can be assigned independently to different journals), the Journal Manager must be able to access the complete list of users e.g. in order to enroll a user as an Author if they've forgotten to choose the "Author" role when registering (or if user self-registration as an author is disabled, which might be the case if the journal has closed or invited authorship).

There are some restrictions in place, i.e. if a Journal Manager tries to use the "Log In As" function on a user account that has roles in other journals that the Manager does not also manage, they will not be allowed. This is to prevent a manager from gaining access to an author's submissions in another journal.

If this is not separate enough, I'd suggest managing several OJS installations rather than sharing a single installation amongst multiple journals. However, I don't think there are security issues beyond a Manager simply being able to see email addresses and names for users outside their journal.

Removing the ability of a Journal Manager to enroll users outside of the current journal will result in a number of administrative headaches -- one of the things users typically do is forget to choose a role, which results in their being enrolled without any roles in any journals. The Manager must be able to correct this situation.

Regards,
Alec Smecher
Public Knowledge Project Team


Return to “OJS Technical Support”

Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 5 guests