Project

General

Profile

Actions

Defect #24915

open

Activity shows issues and text of issues which should not

Added by Thomas Löfgren about 7 years ago. Updated over 5 years ago.

Status:
Needs feedback
Priority:
High
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

If as user only allowed to see your issues (Issues assigned or created by user) and you click on a different member of the project from the Project overview side.

  • You will see all the tickets assigned to that user and some of the content of the tickets as well.
  • If you click on a ticket from the activity you will get 403 Forbidden.

This may be applicable on other kind of activities.


Related issues

Related to Redmine - Defect #22120: Issues are visible in Issue List but not in Issue DetailNeeds feedback

Actions
Actions #1

Updated by Toshi MARUYAMA about 7 years ago

  • Status changed from New to Needs feedback

Please describe more details and see submissions.

Actions #2

Updated by Toshi MARUYAMA about 7 years ago

  • Related to Defect #22120: Issues are visible in Issue List but not in Issue Detail added
Actions #3

Updated by Go MAEDA over 5 years ago

I could not reproduce the problem with 3.4.6.devel.17468. All activities on a user's profile page are visible issues for the current user.

Actions

Also available in: Atom PDF