Project

General

Profile

Actions

Defect #8729

closed

Not-public queries are not private

Added by Jean-Baptiste Barth over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Low
Assignee:
-
Category:
Issues
Target version:
Start date:
2011-07-01
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

I'd like to have the opinion of some of you about the following thing :
  • if you save a custom query on issues, and mark it as public, everyone who can view issues can see it in the sidebar, and it's... public
  • if you don't mark it as public, it's not really private since everyone can access it knowing the URL (increment the ID is a simple way to do that..)
I could understand both position about this tiny defect :
  • it may be useful for managers who don't want to display a lot of queries in the sidebar, but want to have some shortcuts for them or their project members
  • it could be considered as a confidentiality break and be made strictly private to the user who created the custom query

Thanks for any though about this.


Related issues

Has duplicate Redmine - Feature #8946: Permissions for saving queriesClosed2011-07-29

Actions
Actions #1

Updated by Etienne Massip over 13 years ago

Confidentiality is a more critical concern than UI.

UI issue should be resolved via css / improved user control hack.

Actions #2

Updated by Alex Shulgin over 13 years ago

Etienne Massip wrote:

Confidentiality is a more critical concern than UI.

Well, given that if you can run other's queries, you still won't be able to see tickets you're not supposed to see, there's little security concerns to be raised.

However, if that reveals the query title, this might be potentially an inconvenience (e.g. project manager using some strong language in the query title while he believes it is never going to be public ;)

Anyway, there should be a way to check if a private query is run by someone who's not supposed to run it and simply deny access.

My 2 cents.

Actions #3

Updated by Etienne Massip over 13 years ago

It's more like a principle, a private object should not be visible to someone else than its owner.

Alex Shulgin wrote:

Anyway, there should be a way to check if a private query is run by someone who's not supposed to run it and simply deny access.

Very easy, indeed, the query belongs explicitly to the user =)

Actions #4

Updated by Jean-Philippe Lang over 13 years ago

  • Category set to Issues
  • Status changed from New to Resolved
  • Target version set to 1.2.1
  • Resolution set to Fixed

Fixed in r6163.

Actions #5

Updated by Jean-Philippe Lang over 13 years ago

  • Status changed from Resolved to Closed

Merged in 1.2-stable.

Actions #6

Updated by Go MAEDA over 6 years ago

  • Has duplicate Feature #8946: Permissions for saving queries added
Actions

Also available in: Atom PDF