Defect #31778: Total estimated time issue query column and issue field might leak information - Redmine

Defect #31778

Total estimated time issue query column and issue field might leak information

Added by Felix Schäfer almost 3 years ago. Updated almost 3 years ago.

Status:

Closed

Start date:

Priority:

Normal

Due date:

Assignee:

Go MAEDA

% Done:

Category:

Issues

Target version:

3.4.12

Resolution:

Affected version:

Description

The total estimated time information will show the sum of the estimated times of the issues and its subissues. This calculation does not verify if the current user is allowed to see the sub issues though, which might lead to an information leak.

Attached is a patch with a test for this issue. This patch was created and contributed by Gregor Schmidt.

0001-Limit-total_estimated_hours-to-visible-issues.patch (4.71 KB) Felix Schäfer, 2019-07-23 17:04

Related issues

Associated revisions

Revision 18356
Added by Go MAEDA almost 3 years ago

Limit total_estimated_hours to visible issues (#31778).

Patch by Gregor Schmidt.

Revision 18359
Added by Go MAEDA almost 3 years ago

Merged r18356 from trunk to 4.0-stable (#31778).

Revision 18360
Added by Go MAEDA almost 3 years ago

Merged r18356 from trunk to 3.4-stable (#31778).

History

#1 Updated by Go MAEDA almost 3 years ago

Target version set to 4.0.5

Setting the target version to 4.0.5.

#2 Updated by Go MAEDA almost 3 years ago

Status changed from New to Resolved
Assignee set to Go MAEDA

Committed the fix. Thank you.

#3 Updated by Go MAEDA almost 3 years ago

Status changed from Resolved to Closed
Target version changed from 4.0.5 to 3.4.12

#4 Updated by Go MAEDA almost 3 years ago

Related to Defect #32022: IssueSubtaskingTest fails with high probability added

Also available in: Atom PDF

Redmine