Defect #24915

Activity shows issues and text of issues which should not

Added by Thomas Löfgren almost 5 years ago. Updated over 3 years ago.

Status:Needs feedbackStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution: Affected version:3.3.1

Description

If as user only allowed to see your issues (Issues assigned or created by user) and you click on a different member of the project from the Project overview side.

  • You will see all the tickets assigned to that user and some of the content of the tickets as well.
  • If you click on a ticket from the activity you will get 403 Forbidden.

This may be applicable on other kind of activities.


Related issues

Related to Redmine - Defect #22120: Issues are visible in Issue List but not in Issue Detail Needs feedback

History

#1 Updated by Toshi MARUYAMA almost 5 years ago

  • Status changed from New to Needs feedback

Please describe more details and see submissions.

#2 Updated by Toshi MARUYAMA almost 5 years ago

  • Related to Defect #22120: Issues are visible in Issue List but not in Issue Detail added

#3 Updated by Go MAEDA over 3 years ago

I could not reproduce the problem with 3.4.6.devel.17468. All activities on a user's profile page are visible issues for the current user.

Also available in: Atom PDF