Patch #27676
closed
Information leak on roadmap and versions view
0%
Description
When limiting a role's permission to only access "Issues created by or assigned to the user", the roadmap (/projects/:identifier/roadmap) and version details (versions/:id) view leaks information about inaccessible issues and time estimations. Due to missing permission checks in Version#fixed_issues the restricted user may see the overall number of issues, their status, tracker, author, category, and time estimations.
We think, this a security-relevant information leak and it should be fixed and announced responsibly. Attached you may find a proposed patch which includes tests and a fix.
The attached patch changes the Version model, so that the calculation methods (closed_issues_count, open_issues_count, etc) are now also available on the fixed_issues relation proxy object. In a second step, all relevant places, where those calcuation methods are used, are updated to include the visible scope. This fixes the roadmap view, the version details view and the version summary in the Gantt chart.
This bug was reported by a Planio user, the patch series was developed by Gregor Schmidt.
Files
Related issues
Updated by Jean-Philippe Lang over 6 years ago
I've committed the patch serie, thanks.
This issue was already reported long time ago and it was chosen not to change the behaviour (see #15258). With this change, different users might now see different progress values for the same version and this can be confusing. I think we should add a message for when there are issues assigned to the version that are not visible to the user, for example:
- When all issues are visible: no change
- When there are no visible issues but other issues exist: "No visible issues for this version" (instead of "No issues for this version")
- When there are visible issues and other issues exist: "Some issues assigned to this version are not visible and not taken into account" (message added)
- When there are no issues: no change ("No issues for this version")
What do you think? IMO, it's important to let the user know that are other (not visible) issues that are assigned to the version.
Updated by Jean-Philippe Lang over 6 years ago
- Related to Defect #15258: Roadmap Issue Count off added
Updated by Jean-Philippe Lang over 6 years ago
Updated by Jan from Planio www.plan.io over 6 years ago
Thank you for your feedback. Here's what Gregor said:
I agree. It may be confusing, that two users may see different roadmaps. On the other hand, the same is true for issue lists, Gantt charts and many other views. This would be the first place, where a special note about invisible elements is added. It feels like a paradigm shift to me.
I don't want to argue against that change. I merely want to be sure, that it's done without proper thought.
Updated by Toshi MARUYAMA over 6 years ago
How about #19187 and #19059?
Marius provides test case in #19187#note-4.
Updated by Go MAEDA about 6 years ago
- Target version set to 4.0.0
This issue should appear in the changelog. Setting target version to 4.0.0.
Updated by Go MAEDA about 6 years ago
- Has duplicate Defect #19187: Roadmap links in subproject added
Updated by Go MAEDA about 6 years ago
- Has duplicate Defect #19059: Wrong number of issues for a version in the roadmap added
Updated by Jean-Philippe Lang over 5 years ago
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
Updated by Jean-Philippe Lang over 5 years ago
- Project changed from 2 to Redmine
- Category set to Roadmap