Defect #24915
Activity shows issues and text of issues which should not
| Status: | Needs feedback | Start date: | ||
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Security | |||
| Target version: | - | |||
| Resolution: | Affected version: | 3.3.1 |
Description
If as user only allowed to see your issues (Issues assigned or created by user) and you click on a different member of the project from the Project overview side.
- You will see all the tickets assigned to that user and some of the content of the tickets as well.
- If you click on a ticket from the activity you will get 403 Forbidden.
This may be applicable on other kind of activities.
Related issues
History
#1
Updated by Toshi MARUYAMA over 5 years ago
- Status changed from New to Needs feedback
Please describe more details and see submissions.
#2
Updated by Toshi MARUYAMA over 5 years ago
- Related to Defect #22120: Issues are visible in Issue List but not in Issue Detail added
#3
Updated by Go MAEDA almost 4 years ago
I could not reproduce the problem with 3.4.6.devel.17468. All activities on a user's profile page are visible issues for the current user.