Project

General

Profile

Actions

Defect #15789

closed

Users can see all groups when adding a filter "Assignee's Group"

Added by Pierre Maigne about 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Category:
Permissions and roles
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Hello,

I'm going to quote Djordjije who perfectly explained the problem in issue #11724, note 13 (even if issue #11724 has nothing to do with this current issue).

Djordjije Crni wrote:

User can see the names of all groups on Redmine, by selecting issue filter by "Assignee's group"!
This happens even if issue assignment to groups isn't allowed.
I've expected to see only the names of those groups which are assigned to that project in the filter list.
And guess what, almost all group names (in my case) are constructed from two parts: project role and project name. Very original idea, isn't it?
In this case, customer can easily guess names of all projects, which is not acceptible at all.
It seems that current Redmine user/group permission model can't provide reliable customer/project isolation.
"Workaround" could be to give meaningless names to groups, and even better, give meaningless names to projects also?

We have the same issue. We create a group for each customer who is accessing Redmine, and the group name is the customer name. This way, any customer can access our whole customer list.

Thanks in advance for your feedback.


Files

0001-redmine-issue-15789.patch (1.14 KB) 0001-redmine-issue-15789.patch disable issues filter by group Rafał Lisowski, 2014-05-19 11:09

Related issues

Related to Redmine - Feature #11724: Prevent users from seeing other users based on their project membershipClosedJean-Philippe Lang

Actions
Actions

Also available in: Atom PDF