Actions
Defect #37109
closedEmail fields visibility from journal
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Invalid
Affected version:
Description
We have detected that notification emails can contain custom fields that should not be visible for given user. We have Issue Custom Fields with specific visibility setting (configured within custom field administration).
Notification emails contains two parts with fields information:- information from journal what have changed. (using
details_to_strings
helper function) - full issue overview (using
render_email_issue_attributes
helper function)
render_email_issue_attributes
function validates what should be rendered - which fields can be visible for user. This function contains the user within it's parameters.details_to_strings
function only shows information from journal and does not validate whether fields are visible for given user.
Thus, some users get information that they can not see and may be sensitive.
We are using Redmine 3.4.4, but based on quick check of current source code the issue should be still there.
Environment:- Redmine version: 3.4.4.stable
- Ruby version: 2.6.0-p0 (2018-12-25) [x86_64-linux]
- Rails version: 4.2.8
- Environment: production
- Database adapter: Mysql2
Actions