Defect #21136
closedIssues API may disclose changeset messages that are not visible
0%
Description
The check to include related changesets in the single issue API view currently is done against the project of the issue.
An issue can have related changesets from other projects, where the current user might not have the permission to see changesets. This leads to changeset messages being leaked to users without the permission to see those.
The attached patch (created by Felix Schäfer) uses the changesets passed by the controller instead of reimplementing logic in the view, thus sharing the same logic as the html view.
Files
Updated by Jean-Philippe Lang about 9 years ago
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Thanks for reporting this. The fix is committed in r14794.
The :repositories fixtures were missing in the test, and adding them made the test fail (the user used in the test had actually access to the changeset).
Updated by Jan from Planio www.plan.io about 9 years ago
Jean-Philippe Lang wrote:
The :repositories fixtures were missing in the test, and adding them made the test fail (the user used in the test had actually access to the changeset).
Thanks for committing this (and for pointing this out as well).
Updated by Jean-Philippe Lang about 9 years ago
- Project changed from 2 to Redmine
- Subject changed from Information leak in IssuesController#show API to Issues API may disclose changeset messages that are not visible
- Category set to Issues
- Status changed from Resolved to Closed
- Target version set to 2.6.8
- Private changed from No to Yes
Updated by Jan from Planio www.plan.io about 9 years ago
- Private changed from Yes to No
Making this public since fixes have been released already.