Restricted projects not so restricted

313
Defect
-
3.0.5
-
Core
Fixed
Normal
Major
4 years ago
3 years ago
0

Description

What did you do to cause this?

After finding out that the timelines on our tracker were bleeding (see related), I decided to check permissions.

What page were you on?

Initially this was on the timeline page of one of our projects, but eventually to a ticket page.

What PHP and MySQL versions do you run?

5.3.3-7+squeeze14, 5.1.66-0+squeeze1

Describe the defect:

Much to my dismay, despite being logged out of the system completely I was able to view the majority of the content of the ticket.

To ensure it was not just a bout of insanity, I asked a few users who I know not to have access to the project to see if they could view the page. They were able to, with the same amount of content visible to them as well.

It feels as if this sort of access restriction is based more on obscurity than real restriction. So long as users who should not view the project do not know the slug, they won't be able to see it; but as soon as the slug is known, there is limited restriction to the content.

Attachments

Ticket History

4 years and 7 months ago by Jamie R. McPeek

  • Added attachment Anonymous-User.png

Attaching view of a restricted ticket when browsing the site while not logged in (anonymous).

4 years and 7 months ago by Jamie R. McPeek

  • Added attachment Normal-User.png

Attaching a view of a restricted ticket when browsing the site while logged in as a user who should not have access to the project.

4 years and 7 months ago by Jamie R. McPeek

  • Added attachment Project-Settings.png

Attaching a view of the settings of the project.

4 years and 7 months ago by Jamie R. McPeek

  • Added attachment Approved-User.png

Attaching a view of the restricted ticket when browsing the site while logged in as a user who should have access to the project.

The differences leave little to the imagination.

4 years and 7 months ago by Jack

  • Closed ticket as Fixed