Defect #21136
closed
Issues API may disclose changeset messages that are not visible
Added by Jan from Planio www.plan.io about 9 years ago.
Updated almost 9 years ago.
Description
The check to include related changesets in the single issue API view currently is done against the project of the issue.
An issue can have related changesets from other projects, where the current user might not have the permission to see changesets. This leads to changeset messages being leaked to users without the permission to see those.
The attached patch (created by Felix Schäfer) uses the changesets passed by the controller instead of reimplementing logic in the view, thus sharing the same logic as the html view.
Files
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Thanks for reporting this. The fix is committed in r14794.
The :repositories fixtures were missing in the test, and adding them made the test fail (the user used in the test had actually access to the changeset).
Jean-Philippe Lang wrote:
The :repositories fixtures were missing in the test, and adding them made the test fail (the user used in the test had actually access to the changeset).
Thanks for committing this (and for pointing this out as well).
- Project changed from 2 to Redmine
- Subject changed from Information leak in IssuesController#show API to Issues API may disclose changeset messages that are not visible
- Category set to Issues
- Status changed from Resolved to Closed
- Target version set to 2.6.8
- Private changed from No to Yes
- Private changed from Yes to No
Making this public since fixes have been released already.
Also available in: Atom
PDF