Defect #20469
closed
Document Access
0%
Description
Have two projects : Project1, Project2
Member1 assigned to Project1, Member2 assigned to Project2.
Member1 uploaded document, doc1 in one of the issue under Project1
Member2 uploaded document, doc2 in one of the issue under Project2
Member1 able to access doc2 !
https://<application.com>/requests_download/40924
Member2 able to access doc1 !
https://<application.com>/requests_download/40923
Found that anyone can access any document - document added in wiki page, file uploaded in an issue, documents added in "Files" module.
Please let us know how to fix this ?
Updated by Jan Niggemann (redmine.org team member) over 9 years ago
- Due date set to 2015-09-05
- Status changed from New to Needs feedback
How are the members and roles set up? Are both members administrators? Do both projects share same root (look at RedmineProjectSettings)?
Updated by Holger Just 3 months ago
- Due date deleted (
2015-09-05) - Status changed from Needs feedback to Closed
- Resolution set to Invalid
Redmine does not use the /requests_download/ID URLs. If you see these URLs in your Redmine, they are likely provided by a plugin. In that case, it's the duty of the plugin (resp. its authors) to correctly check permissions. Please contact the plugin authors instead.