security-privacy : why redmine data (issues, gant users) can be read without login

Added by vova sarkisyan over 6 years ago

I'm using Redmin - it's installed on my server. But this security issue, where anyone can read the data without login bothers me.
So anyone can open my redmine address go to projects, and to see the all projects. After that open the issue of specific project and also to see the all data

Anyone have a clue how it can be changed and what is the reason for this?

Replies (3)

RE: security-privacy : why redmine data (issues, gant users) can be read without login - Added by vova sarkisyan over 6 years ago

Yes, there are members and roles, and if specific role don't have the permissions he won't be able to edit the data
But the issue is read permissions, I don't have to be a user (don't have to login) to read the data

If I take this site (http://www.redmine.org) as an example, I can to log out and still to see all the issues of the Redmine project and still to read the forum. Same is in my Redmine system. So if my Redmine is accessible outside of my company's network anyone can read the all data.

RE: security-privacy : why redmine data (issues, gant users) can be read without login - Added by vova sarkisyan over 6 years ago

Ok anyway I found the solution
Administration -> settings -> Authentication -> check "Authentication required"
This will prevent from not login "users" to read/access the data

(1-3/3)