I'm hosting a cvat server and when I create a new user account via the login page, the new user has direct access to the existing tasks: it sees the list of tasks and can even export the annotations.
The documentation says:
You can register a user but by default it will not have rights even to view
list of tasks.
Can someone verify if this is broken? Atm it makes my cvat server unusable.
View from newly made user

View from admin panel

I modify https://github.com/opencv/cvat/blob/develop/cvat/apps/authentication/auth.py#L196
to :
Hi,
Related to this issue, an annotator can't be allowed to see the "Create Task" button and can't have access to the 'create task' screen, since it shows the complete server share (by clicking on its tab) with all the images, a security issue.
I figured new users can see all tasks which have not yet been assigned. To deal with that I created a new user called "unassigned".
Whenever I create a new task, I assign it to that user and then new users cannot see it.
At the moment as workaround is possible to set reduce_task_visibility variable to True here https://github.com/opencv/cvat/blob/develop/cvat/settings/base.py#L424 to remove public access to unassigned tasks. The new permission system will be introduced in future releases.
Most helpful comment
At the moment as workaround is possible to set
reduce_task_visibilityvariable to True here https://github.com/opencv/cvat/blob/develop/cvat/settings/base.py#L424 to remove public access to unassigned tasks. The new permission system will be introduced in future releases.