Security problem with "only issues created by or assigned"-permission?
Added by Anonymous almost 8 years ago
Hi!
As I encountered security problems when using "extended_watchers_plugin" due to behavior of other plugins, I investigated on the permission setting with the ticket visibility "only issues created by or assigned".
We are on Redmine 3.3.0 and I found the following problem I would like to discuss here before post as a defect:
My user with the permissions "only issues created by or assigned" shows the following behavior when accessing tickets:- ticket statistics on project overview: OK (just showing tickets where user is author or assignee)
- ticket lists and filtered lists: OK (just showing tickets where user is author or assignee)
- direct access to invisible ticket via entering ticket ID in searchfield: OK (ticket not found)
- direct ticket access via URI: not OK: if the user knows the issue ID, the user can break security within the given project and access those tickets simply by entering the corresponding URI, e.g. "https://redmine.mycompany.at/issues/4401
- so a ticket of the current project is accessible although the user should have restricted access.
To the community: can you confirm this behavior/security leak?
Then this should be logged as defect.
Thanks a lot
Immanuel.