What did you do to cause this?
After finding out that the timelines on our tracker were bleeding (see related), I decided to check permissions.
What page were you on?
Initially this was on the timeline page of one of our projects, but eventually to a ticket page.
What PHP and MySQL versions do you run?
5.3.3-7+squeeze14, 5.1.66-0+squeeze1
Describe the defect:
Much to my dismay, despite being logged out of the system completely I was able to view the majority of the content of the ticket.
To ensure it was not just a bout of insanity, I asked a few users who I know not to have access to the project to see if they could view the page. They were able to, with the same amount of content visible to them as well.
It feels as if this sort of access restriction is based more on obscurity than real restriction. So long as users who should not view the project do not know the slug, they won't be able to see it; but as soon as the slug is known, there is limited restriction to the content.
Attaching a view of a restricted ticket when browsing the site while logged in as a user who should not have access to the project.
Attaching a view of the settings of the project.
Attaching a view of the restricted ticket when browsing the site while logged in as a user who should have access to the project.
The differences leave little to the imagination.
Attaching view of a restricted ticket when browsing the site while not logged in (anonymous).