Defect #8729
closedNot-public queries are not private
0%
Description
- if you save a custom query on issues, and mark it as public, everyone who can view issues can see it in the sidebar, and it's... public
- if you don't mark it as public, it's not really private since everyone can access it knowing the URL (increment the ID is a simple way to do that..)
- it may be useful for managers who don't want to display a lot of queries in the sidebar, but want to have some shortcuts for them or their project members
- it could be considered as a confidentiality break and be made strictly private to the user who created the custom query
Thanks for any though about this.
Related issues
Updated by Etienne Massip over 13 years ago
Confidentiality is a more critical concern than UI.
UI issue should be resolved via css / improved user control hack.
Updated by Alex Shulgin over 13 years ago
Etienne Massip wrote:
Confidentiality is a more critical concern than UI.
Well, given that if you can run other's queries, you still won't be able to see tickets you're not supposed to see, there's little security concerns to be raised.
However, if that reveals the query title, this might be potentially an inconvenience (e.g. project manager using some strong language in the query title while he believes it is never going to be public ;)
Anyway, there should be a way to check if a private query is run by someone who's not supposed to run it and simply deny access.
My 2 cents.
Updated by Etienne Massip over 13 years ago
It's more like a principle, a private object should not be visible to someone else than its owner.
Alex Shulgin wrote:
Anyway, there should be a way to check if a private query is run by someone who's not supposed to run it and simply deny access.
Very easy, indeed, the query belongs explicitly to the user =)
Updated by Jean-Philippe Lang over 13 years ago
- Category set to Issues
- Status changed from New to Resolved
- Target version set to 1.2.1
- Resolution set to Fixed
Fixed in r6163.
Updated by Jean-Philippe Lang over 13 years ago
- Status changed from Resolved to Closed
Merged in 1.2-stable.
Updated by Go MAEDA over 6 years ago
- Has duplicate Feature #8946: Permissions for saving queries added