Project

General

Profile

Actions

Patch #27676

closed

Information leak on roadmap and versions view

Added by Jan from Planio www.plan.io almost 7 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Category:
Roadmap
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

When limiting a role's permission to only access "Issues created by or assigned to the user", the roadmap (/projects/:identifier/roadmap) and version details (versions/:id) view leaks information about inaccessible issues and time estimations. Due to missing permission checks in Version#fixed_issues the restricted user may see the overall number of issues, their status, tracker, author, category, and time estimations.

We think, this a security-relevant information leak and it should be fixed and announced responsibly. Attached you may find a proposed patch which includes tests and a fix.

The attached patch changes the Version model, so that the calculation methods (closed_issues_count, open_issues_count, etc) are now also available on the fixed_issues relation proxy object. In a second step, all relevant places, where those calcuation methods are used, are updated to include the visible scope. This fixes the roadmap view, the version details view and the version summary in the Gantt chart.

This bug was reported by a Planio user, the patch series was developed by Gregor Schmidt.


Files


Related issues

Related to Redmine - Defect #15258: Roadmap Issue Count offClosed

Actions
Has duplicate Redmine - Defect #19187: Roadmap links in subproject Closed

Actions
Has duplicate Redmine - Defect #19059: Wrong number of issues for a version in the roadmapClosed

Actions
Actions

Also available in: Atom PDF