Project

General

Profile

Actions
Copy link

Patch #27676

closed

Information leak on roadmap and versions view

Added by Jan from Planio www.plan.io over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jean-Philippe Lang
Category:
Roadmap
Target version:
4.0.0
Start date:
Due date:
% Done:

0%

Estimated time:

Description

When limiting a role's permission to only access "Issues created by or assigned to the user", the roadmap (/projects/:identifier/roadmap) and version details (versions/:id) view leaks information about inaccessible issues and time estimations. Due to missing permission checks in Version#fixed_issues the restricted user may see the overall number of issues, their status, tracker, author, category, and time estimations.

We think, this a security-relevant information leak and it should be fixed and announced responsibly. Attached you may find a proposed patch which includes tests and a fix.

The attached patch changes the Version model, so that the calculation methods (closed_issues_count, open_issues_count, etc) are now also available on the fixed_issues relation proxy object. In a second step, all relevant places, where those calcuation methods are used, are updated to include the visible scope. This fixes the roadmap view, the version details view and the version summary in the Gantt chart.

This bug was reported by a Planio user, the patch series was developed by Gregor Schmidt.

Files

Download all files
0004-Fixes-visibility-checks-for-version.fixed_issues-in-.patch (3.11 KB) 0004-Fixes-visibility-checks-for-version.fixed_issues-in-.patch Jan from Planio www.plan.io, 2017-11-29 17:24
0002-Adds-visibility-checks-on-version-views.patch (4.93 KB) 0002-Adds-visibility-checks-on-version-views.patch Jan from Planio www.plan.io, 2017-11-29 17:24
0003-Performance-opt-cache-AR-Proxy-for-Version-fixed_iss.patch (5.93 KB) 0003-Performance-opt-cache-AR-Proxy-for-Version-fixed_iss.patch Jan from Planio www.plan.io, 2017-11-29 17:24
0001-Moves-issue-calculations-into-the-fixed_issues-relat.patch (7.17 KB) 0001-Moves-issue-calculations-into-the-fixed_issues-relat.patch Jan from Planio www.plan.io, 2017-11-29 17:24

Related issues

Related to Redmine - Defect #15258: Roadmap Issue Count offClosed

Actions
Has duplicate Redmine - Defect #19187: Roadmap links in subproject Closed

Actions
Has duplicate Redmine - Defect #19059: Wrong number of issues for a version in the roadmapClosed

Actions
Actions
Copy link

Also available in: Atom PDF