プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #65568

完了

account/show/:user_id should not be accessible for other users not in your projects

Admin Redmine さんがほぼ2年前に追加. ほぼ2年前に更新.

ステータス:
Closed
優先度:
通常
担当者:
-
カテゴリ:
Accounts / authentication_7
対象バージョン:
0.8.6_12
開始日:
2009/08/07
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/3720
category_id:
7
version_id:
12
issue_org_id:
3720
author_id:
7148
assigned_to_id:
0
comments:
4
status_id:
5
tracker_id:
2
plus1:
0
affected_version:
closed_on:
affected_version_id:
ステータス-->[Closed]
引用

説明

We use Redmine in a setting where certain users should not be able to see the name and email of every other user in the system. For example, when you have two separate clients involved in separate private projects, these clients shouldn't be able to access each others user profile at /account/show/:other_user_id. They should have no way of discovering other users in the same system that aren't involved in their projects.

To increase privacy and security of a Redmine system, particularily where it is not good to expose who all the users are it would be nice to restrict access to those users which are in public projects or private projects that the current user is also in.

journals

--------------------------------------------------------------------------------
Fixed in r2986. User won't be displayed if there's no visible project or activity.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Merged in 0.8 branch in r2987.
--------------------------------------------------------------------------------

related_issues

relates,Closed,4129,Anonymous users can get all user's information
duplicates,Closed,5351,View /account/show/id-user on Redmine 0.9.2

操作
リンクをコピー
 #1

Admin Redmine さんがほぼ2年前に更新

  • カテゴリAccounts / authentication_7 にセット
  • 対象バージョン0.8.6_12 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org