Defect #8729: Not-public queries are not private - Redmine

Actions

Copy link

Defect #8729

closed

Not-public queries are not private

Added by Jean-Baptiste Barth over 13 years ago. Updated over 13 years ago.

Status:

Closed

Priority:

Low

Assignee:

Category:

Issues

Target version:

1.2.1

Start date:

2011-07-01

Due date:

% Done:

Estimated time:

Resolution:

Fixed

Affected version:

1.2.0

Description

I'd like to have the opinion of some of you about the following thing :

if you save a custom query on issues, and mark it as public, everyone who can view issues can see it in the sidebar, and it's... public
if you don't mark it as public, it's not really private since everyone can access it knowing the URL (increment the ID is a simple way to do that..)

I could understand both position about this tiny defect :

it may be useful for managers who don't want to display a lot of queries in the sidebar, but want to have some shortcuts for them or their project members
it could be considered as a confidentiality break and be made strictly private to the user who created the custom query

Thanks for any though about this.

Related issues

Actions

Copy link

Updated by Etienne Massip over 13 years ago

Confidentiality is a more critical concern than UI.

UI issue should be resolved via css / improved user control hack.

Actions

Copy link

Updated by Alex Shulgin over 13 years ago

Etienne Massip wrote:

Confidentiality is a more critical concern than UI.

Well, given that if you can run other's queries, you still won't be able to see tickets you're not supposed to see, there's little security concerns to be raised.

However, if that reveals the query title, this might be potentially an inconvenience (e.g. project manager using some strong language in the query title while he believes it is never going to be public ;)

Anyway, there should be a way to check if a private query is run by someone who's not supposed to run it and simply deny access.

My 2 cents.

Actions

Copy link