Project

General

Profile

Actions

Feature #11724

closed

Prevent users from seeing other users based on their project membership

Added by Maxim Kim about 12 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Category:
Permissions and roles
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

This feature #5159 caused a major problems at least for us.
We let our customers to add new issues and watchers. And now our customers can see other customer names, which is inacceptable!
Could you please add asap setting to switch off this feature.

My personal opinion is that right solution was to add permission "can be non-member watcher" as someone suggested earlier.


Files

0001-watchers-fix.patch (1.41 KB) 0001-watchers-fix.patch Rafał Lisowski, 2014-04-15 22:18

Related issues

Related to Redmine - Feature #5159: Ability to add Non-Member watchers to the watch listClosedJean-Philippe Lang2010-03-23

Actions
Related to Redmine - Feature #13527: 'Display name' for usersNew

Actions
Related to Redmine - Feature #13533: Concept for controlling visibility of usersNew

Actions
Related to Redmine - Defect #9500: Watchers list before and after creation issueNew2011-10-31

Actions
Related to Redmine - Defect #15789: Users can see all groups when adding a filter "Assignee's Group"ClosedJean-Philippe Lang

Actions
Related to Redmine - Feature #17747: Private rolesNew

Actions
Related to Redmine - Patch #18128: Make User profile 404 rendering more consistent (and speed up Users#show API)Closed

Actions
Related to Redmine - Feature #6015: Private UsersNew2010-08-02

Actions
Related to Redmine - Feature #26555: Hide user information from other users (even if they are all members of the same project)New

Actions
Related to Redmine - Feature #2060: Make project members visibility configurable to user groupsNew2008-10-21

Actions
Has duplicate Redmine - Defect #15123: "Add watcher" leaks all active usersClosed

Actions
Actions #1

Updated by William Roush about 12 years ago

This almost sounds like it should be the other way around:

The permission should probably be on the user to add non-member watchers. If I'm a project manager I can't be limited for something that in essence is to keep non-members from adding each other.

Of course does this mean that non-members can view profiles of other non-members? If so this permission would be pretty useless, I can just cruise the member list if this barrier is put in place (which means this issue has really existed for a long time).

I'd almost suggest the ability to limit users from seeing non-members in general, and let that permission cascade to this search box.

Actions #2

Updated by Etienne Massip about 12 years ago

  • Tracker changed from Defect to Feature
  • Subject changed from Re: Ability to add Non-Member watchers to the watch list to Prevent users from seeing other users based on their project membership
  • Category changed from Administration to Permissions and roles
  • Assignee deleted (Jean-Philippe Lang)
  • Priority changed from High to Normal
  • Target version set to Candidate for next major release
Actions #3

Updated by Hannes Meier about 12 years ago

whaaaaaaaaat????

that s really not good. i just set up a redmine for 2 customers and you are absolutely right, they can see each other if they add watchers.

Same for the redmine/users/XX links.
Everyone can scan all users at any time. A role/permission to change that would be very important.

Actions #4

Updated by Dries Maertens about 12 years ago

You should check out http://www.redmine.org/boards/1/topics/4143
They post a solution to manually change some files to change what certain members can see.

I still think this should remain a feature for a future version so we don't have to do this in the code directly.

Actions #5

Updated by Tobias Fischer over 11 years ago

+1 on this feature-request!

We're having the same problem as Maxim.
But I think that a role-permission is the wrong way to do this!

This should be a project specific option!

Actions #6

Updated by Mischa The Evil over 11 years ago

Maxim Kim wrote:

This feature #5159 caused a major problems at least for us.
We let our customers to add new issues and watchers. And now our customers can see other customer names, which is inacceptable!
[...]

This is true defect IMO. As a workaround you can revoke the "Add watchers" permission from your customer roles.

William Roush wrote:

Of course does this mean that non-members can view profiles of other non-members? If so this permission would be pretty useless, I can just cruise the member list if this barrier is put in place (which means this issue has really existed for a long time).

I'd almost suggest the ability to limit users from seeing non-members in general, and let that permission cascade to this search box.

Hannes Meier wrote:

[...]

Same for the redmine/users/XX links.
Everyone can scan all users at any time. [...]

It is simply not true that all users can browse account/user pages unlimited. This is reserved to administrators only. Non-admin users can't browse user pages of users who are not active ánd who have no visible project or activity. See #14601#note-1 (note-1) and more historically r2986 (for #4129 & #3720).

Actions #7

Updated by Mischa The Evil about 11 years ago

  • Related to Defect #15123: "Add watcher" leaks all active users added
Actions #8

Updated by Jean-Philippe Lang about 11 years ago

  • Assignee set to Jean-Philippe Lang

Rather than adding a specific permission for adding non members as watchers, I'd like to add a setting on each role that defines which users the role is allowed to see: all users or members of visible projects. That would apply to adding watchers and viewing users as well (/users/:id). And I think it would be easier for those who want to control user visibility (rather than reviewing all permissions to know which users the role can see).

Actions #9

Updated by Mischa The Evil about 11 years ago

Jean-Philippe Lang wrote:

[...] I'd like to add a setting on each role that defines which users the role is allowed to see: all users or members of visible projects [...]

I think that would be a good solution for this issue.

Actions #10

Updated by Maxim Kim about 11 years ago

That is great news but we had to go with different software already because of that.
But good to know, if this is fixed in future we may consider a comeback.

Maxim Kim wrote:

Added by Maxim Kim about 1 year ago.

Actions #11

Updated by Etienne Massip about 11 years ago

Jean-Philippe Lang wrote:

Rather than adding a specific permission for adding non members as watchers, I'd like to add a setting on each role that defines which users the role is allowed to see: all users or members of visible projects. That would apply to adding watchers and viewing users as well (/users/:id). And I think it would be easier for those who want to control user visibility (rather than reviewing all permissions to know which users the role can see).

I think this should not solve the critical case where reporters of a private project are external customers that should not know who are the other customers, would it?

And when an user is not tied to a project anymore, you can't have any visibility policy applicable, right ?

Why not simply have a "public"/"private" user setting(which could be extended to group) and have a "See private users" setting at role level?

Edit: actually, it was described by Joshua in #13533.

Actions #12

Updated by Toshi MARUYAMA about 11 years ago

  • Related to Defect #9500: Watchers list before and after creation issue added
Actions #13

Updated by Djordjije Crni about 11 years ago

First of all, I would like to thank to Felix Schäfer, who provided a patch for Defect #15123 "Add watcher" leaks all active users issue.
Today we've found one more serious problem with user & groups visibility. (We are using Redmine v2.3.3 at the moment.)
User can see the names of all groups on Redmine, by selecting issue filter by "Assignee's group"!
This happens even if issue assignment to groups isn't allowed.
I've expected to see only the names of those groups which are assigned to that project in the filter list.
And guess what, almost all group names (in my case) are constructed from two parts: project role and project name. Very original idea, isn't it?
In this case, customer can easily guess names of all projects, which is not acceptible at all.
It seems that current Redmine user/group permission model can't provide reliable customer/project isolation.
"Workaround" could be to give meaningless names to groups, and even better, give meaningless names to projects also?

Debug log shows following SQL query for groups:

SELECT "users".* FROM "users" INNER JOIN "groups_users" ON "users"."id" = "groups_users"."group_id" WHERE "users"."type" IN ('Group') AND "groups_users"."user_id" = 1

The code is somewhere in app/models/issue_query.rb, as far as I can see.
The query should show only groups which are members of project, not all groups, something like:
SELECT "members"."id" AS t0_r0, "members"."user_id" AS t0_r1, "members"."project_id" AS t0_r2 ... FROM "members" LEFT OUTER JOIN "users" ON "users"."id" = "members"."user_id" WHERE "members"."project_id" = 1 AND (users.type='Group')

Actions #14

Updated by Toshi MARUYAMA almost 11 years ago

  • Related to deleted (Defect #15123: "Add watcher" leaks all active users)
Actions #15

Updated by Toshi MARUYAMA almost 11 years ago

  • Has duplicate Defect #15123: "Add watcher" leaks all active users added
Actions #16

Updated by Pierre Maigne almost 11 years ago

This issue is also affecting us. Our customers have access to Redmine for their respective projects, but we don't really want them to access the global user list.
Until we have a solution, we removed the "Add Watchers" role, but it would better if that role was open to our customers.

I'm also going to open a separate ticket for the issue described by Djordjije 3 comments earlier as I can't find a related issue.

Anyway, thank you to all Redmine contributors. This is a great piece of software, and we enjoy using it daily.

Actions #17

Updated by Pierre Maigne almost 11 years ago

<wrong manipulation :->

Actions #18

Updated by Mischa The Evil almost 11 years ago

  • Related to Defect #15789: Users can see all groups when adding a filter "Assignee's Group" added
Actions #19

Updated by Rafał Lisowski over 10 years ago

In my opinion, should be visible only users associated with the project.
I don't have any public projects so it is easy choice for me.

Actions #20

Updated by Pierre Maigne over 10 years ago

Thanks Rafał for this new fix, it works like a charm on 2.5.1 !

Actions #21

Updated by Pierre Maigne over 10 years ago

Just a little issue with Rafał patch : if you add watchers to an existing issue, it doesn't refresh the list automatically, you have to refresh the page entirely to update the watcher list. Unfortunately, I'm not a ruby developer and can't figure out why.

I think this feature should be considered as defect, as it is a security issue.

Actions #22

Updated by Toshi MARUYAMA about 10 years ago

Actions #23

Updated by Mischa The Evil about 10 years ago

  • Related to Patch #18128: Make User profile 404 rendering more consistent (and speed up Users#show API) added
Actions #24

Updated by Mischa The Evil about 10 years ago

Actions #25

Updated by Jean-Philippe Lang about 10 years ago

  • Status changed from New to Closed
  • Target version changed from Candidate for next major release to 3.0.0
  • Resolution set to Fixed

r13584 adds a Users visibility setting on role for controlling which users can be seen.
This applies to user profiles, filters and user search when adding watchers.

Actions #26

Updated by Mischa The Evil about 10 years ago

Great to see this is being included in a release.

Just a question: the two cases given by Etienne in #11724#note-11 are not covered by this yet, right?
I can see that his first point is considered out-of-scope of this issue but I think that the second one is in-scope ánd could potentially create unexpected results (I haven't been able to test these changes myself actually, so I can't say for sure...).
Edit by Mischa The Evil: this case (when a user is not tied to a project [anymore], you can't have any visibility policy applicable) is already covered by r13584 implementation (by making the users visibility role option available to/applicable on the build-in anonymous and non-member roles too, see source:/trunk/app/models/principal.rb@13584#L51).

Actions #27

Updated by Mischa The Evil over 7 years ago

  • Related to Feature #26555: Hide user information from other users (even if they are all members of the same project) added
Actions #28

Updated by Holger Just over 2 years ago

  • Related to Feature #2060: Make project members visibility configurable to user groups added
Actions

Also available in: Atom PDF