Patch #27009

Clarify consequences of disabling the login_required setting

Added by Holger Just over 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:UI
Target version:4.0.0

Description

When an administrator disabled the login_required setting and/or sets projects as public, this can have grave consequences for the protection of the data in-house projects. If this is done carelessly, confidential data might be exposed to undesired audiences (e.g. the global unauthenticated internet).

The attached patches try to make the consequences of these settings clearer by making them more prominent and explain their consequences to the user. This helps admins and project managers make the correct decisions.

We use these patches on Planio where all accounts require authentication by default. But even for "older" Redmine installations which might have some internal public projects it might still be surprising that they are suddenly public when not enforcing authentication anymore.

0001-Clarify-consequences-of-disabling-the-login_required.patch Magnifier (2.79 KB) Holger Just, 2017-09-15 16:35

0002-Clarify-consequences-of-setting-a-project-as-public.patch Magnifier (2.69 KB) Holger Just, 2017-09-15 16:35

0001-Clarify-consequences-of-disabling-the-login_required.patch Magnifier (2.72 KB) Holger Just, 2018-04-20 15:13

0002-Clarify-consequences-of-setting-a-project-as-public.patch Magnifier (2.66 KB) Holger Just, 2018-04-20 15:13

Related issues

Related to Redmine - Feature #35044: Show notice on project's overview page when the project i... New

Associated revisions

Revision 17310
Added by Go MAEDA about 4 years ago

Clarify consequences of disabling the login_required (#27009).

Patch by Holger Just.

Revision 17311
Added by Go MAEDA about 4 years ago

Clarify consequences of setting a project as public (#27009).

Patch by Holger Just.

Revision 17312
Added by Go MAEDA about 4 years ago

Update locales (#27009).

History

#1 Updated by Jan from Planio www.plan.io over 4 years ago

  • Description updated (diff)
  • Target version set to Candidate for next minor release

#2 Updated by Go MAEDA over 4 years ago

  • Target version changed from Candidate for next minor release to 4.1.0

I think this patch is very valuable because sometimes I find a Redmine instance which unintentionally exposes internal projects on the internet. This patch can prevent users from making such inappropriate settings.

I am setting target version to 4.1.0.

#3 Updated by Toshi MARUYAMA over 4 years ago

  • Description updated (diff)

#4 Updated by Go MAEDA about 4 years ago

I think we should slightly change messages in the patch, replace the word "Internet" with "network" because Redmine may be deployed on intranets.

  • text_login_required_html:
    When not requiring authentication, public projects and their contents are openly available on the Internet network.
  • text_project_is_public_anonymous:
    Public projects and their contents are openly available on the Internet network.

#5 Updated by Holger Just about 4 years ago

I just updated the patches with the wording changes proposed by Maeda-san.

I also rebased the patches on the current trunk at r17295.

#6 Updated by Go MAEDA about 4 years ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Target version changed from 4.1.0 to 4.0.0

Committed. Thank you for sharing the patches.

#7 Updated by Go MAEDA about 1 year ago

  • Related to Feature #35044: Show notice on project's overview page when the project is public added

Also available in: Atom PDF