https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292013-10-14T08:21:13ZRedmineRedmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=525482013-10-14T08:21:13ZToshi MARUYAMA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-1 priority-4 priority-default" href="/issues/9500">Defect #9500</a>: Watchers list before and after creation issue</i> added</li></ul> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=525502013-10-14T08:24:28ZToshi MARUYAMA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/5159">Feature #5159</a>: Ability to add Non-Member watchers to the watch list</i> added</li></ul> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=525522013-10-14T08:28:20ZToshi MARUYAMA
<ul></ul><p>I think this is intended behavior of <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Ability to add Non-Member watchers to the watch list (Closed)" href="https://www.redmine.org/issues/5159">#5159</a>.</p> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=525532013-10-14T08:33:16ZMischa The Evil
<ul></ul><p>This actually is a duplicate of <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Prevent users from seeing other users based on their project membership (Closed)" href="https://www.redmine.org/issues/11724">#11724</a>, where <a class="issue tracker-1 status-1 priority-4 priority-default" title="Defect: Watchers list before and after creation issue (New)" href="https://www.redmine.org/issues/9500">#9500</a> isn't actually tightly related. I'd suggest to keep this issue open because it contains a patch with tests.<br />Thanks for sharing this!</p> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=525542013-10-14T08:33:26ZMischa The Evil
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/11724">Feature #11724</a>: Prevent users from seeing other users based on their project membership</i> added</li></ul> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=525572013-10-14T08:38:51ZFelix Schäfer
<ul></ul><p>I had thought about that, and also about private issues (I'm still not 100% sure how those work, but IIRC watchers can see private issues too?), but I still think the current solution can be improved. The user pages for example still go to great lengths to make sure you can only see the user pages of users that have some activity in a project you can see <a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/branches/2.3-stable/app/controllers/users_controller.rb#L68">source:/branches/2.3-stable/app/controllers/users_controller.rb#L68</a>, probably to not disclose too many users.</p>
<p>I'm not really in favor of adding even more permissions, but what about a second permission for adding watchers: Rename the current permission to "Add any user as watcher" and "Add users you can see as watcher" or something similar?</p> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=525602013-10-14T08:41:20ZFelix Schäfer
<ul></ul><p>Mischa The Evil wrote:</p>
<blockquote>
<p>I'd suggest to keep this issue open because it contains a patch</p>
</blockquote>
<p>Yes.</p>
<blockquote>
<p>with tests.</p>
</blockquote>
<p>No.</p>
<p>This currently should rather be considered a working and solid proof of concept, I especially wanted some discussion as to wether this behavior is intended, if it could or should be improved upon or if the Redmine core is happy with the current state and doesn't want to change it.</p> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=526872013-10-20T04:01:56ZMischa The Evil
<ul></ul><p>Felix Schäfer wrote:</p>
<blockquote>
<p>[...] and also about private issues (I'm still not 100% sure how those work, but IIRC watchers can see private issues too?) [...]</p>
</blockquote>
<p>The watcher mechanism is not (and should not) being used for access control. It is used for notification purposes only. See <a class="issue tracker-2 status-1 priority-4 priority-default" title="Feature: Create an 'Involve' mechanism to private issues (New)" href="https://www.redmine.org/issues/8488">#8488</a>.<br /><em>(please post to the forum with questions about the current implementation of private issues, I'd be happy to catch you up on the subject ;)</em></p>
<blockquote>
<p>but I still think the current solution can be improved.</p>
</blockquote>
<p>I totally agree.</p>
<blockquote>
<p>The user pages for example still go to great lengths to make sure you can only see the user pages of users that have some activity in a project you can see <a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/branches/2.3-stable/app/controllers/users_controller.rb#L68">source:/branches/2.3-stable/app/controllers/users_controller.rb#L68</a>, probably to not disclose too many users.</p>
</blockquote>
<p>Yes, indeed. And I think this good. See <a class="changeset" title="Do not show user profile if no visible project or activity (#4129, #3720)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/2986">r2986</a> which introduced these checks for <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: account/show/:user_id should not be accessible for other users not in your projects (Closed)" href="https://www.redmine.org/issues/3720">#3720</a> and <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Defect: Anonymous users can get all user's information (Closed)" href="https://www.redmine.org/issues/4129">#4129</a>.</p>
<blockquote>
<p>I'm not really in favor of adding even more permissions, but what about a second permission for adding watchers: Rename the current permission to "Add any user as watcher" and "Add users you can see as watcher" or something similar?</p>
</blockquote>
<p>That would solve the issue as far as I can see. Considering the nature of the issue I tend to think that it could justify adding such permission.</p>
<blockquote>
<p>[...] I especially wanted some discussion as to wether this behavior is intended, if it could or should be improved upon or if the Redmine core is happy with the current state and doesn't want to change it.</p>
</blockquote>
<p>As Toshi stated in note-3 it indeed seems the intended behavior as per <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Ability to add Non-Member watchers to the watch list (Closed)" href="https://www.redmine.org/issues/5159">#5159</a>.<br />I definitely think it would be good if this is going to be improved. <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Prevent users from seeing other users based on their project membership (Closed)" href="https://www.redmine.org/issues/11724">#11724</a> was filed initially as a defect, which I think this behavior is in the light of <a class="changeset" title="Do not show user profile if no visible project or activity (#4129, #3720)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/2986">r2986</a>.</p>
<blockquote>
<p>Mischa The Evil wrote:</p>
<blockquote>
<p>with tests.</p>
</blockquote>
<p>No.</p>
</blockquote>
<p>Hmm, I think I was a bit distracted and made a Freudian typo... ;)</p>
<p><a href="#" onclick="$('#collapse-bcf6ea8c-show, #collapse-bcf6ea8c-hide').toggle(); $('#collapse-bcf6ea8c').fadeToggle(150);; return false;" id="collapse-bcf6ea8c-show" class="icon icon-collapsed collapsible">Off-topic...</a><a href="#" onclick="$('#collapse-bcf6ea8c-show, #collapse-bcf6ea8c-hide').toggle(); $('#collapse-bcf6ea8c').fadeToggle(150);; return false;" id="collapse-bcf6ea8c-hide" class="icon icon-expended collapsible" style="display:none;">Off-topic...</a><div id="collapse-bcf6ea8c" class="collapsed-text" style="display:none;">This is affecting ChiliProject too. See:
<ul>
<li><a href="https://www.chiliproject.org/projects/chiliproject/repository/revisions/master/entry/app/views/watchers/_watchers.rhtml#L15" class="external">chiliproject:source:/app/views/watchers/_watchers.rhtml@master#L15</a>, which got introduced for CP-issue <a href="https://www.chiliproject.org/issues/800" class="external">800</a></li>
<li>CP-issue <a href="https://www.chiliproject.org/issues/1073" class="external">1073</a></li>
</ul></div></p> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=526992013-10-20T15:50:37ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Resolution</strong> set to <i>Duplicate</i></li></ul><p>I'm closing it in favour of <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Prevent users from seeing other users based on their project membership (Closed)" href="https://www.redmine.org/issues/11724">#11724</a>. Please have a look at my note <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Prevent users from seeing other users based on their project membership (Closed)" href="https://www.redmine.org/issues/11724#note-8">#11724-8</a>.</p> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=536282013-12-06T13:50:01ZToshi MARUYAMA
<ul><li><strong>Related to</strong> deleted (<i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/11724">Feature #11724</a>: Prevent users from seeing other users based on their project membership</i>)</li></ul> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=536302013-12-06T13:50:13ZToshi MARUYAMA
<ul><li><strong>Is duplicate of</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/11724">Feature #11724</a>: Prevent users from seeing other users based on their project membership</i> added</li></ul> Redmine - Defect #15123: "Add watcher" leaks all active usershttps://www.redmine.org/issues/15123?journal_id=536342013-12-06T13:51:51ZToshi MARUYAMA
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/15613">Defect #15613</a>: 'Add watchers' within the new issue reveals all the accounts</i> added</li></ul>