プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #70254

完了

Not-public queries are not private

Admin Redmine さんがほぼ2年前に追加. ほぼ2年前に更新.

ステータス:
Closed
優先度:
低め
担当者:
-
カテゴリ:
Issues_2
対象バージョン:
1.2.1_35
開始日:
2011/07/01
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/8729
category_id:
2
version_id:
35
issue_org_id:
8729
author_id:
1188
assigned_to_id:
0
comments:
6
status_id:
5
tracker_id:
1
plus1:
0
affected_version:
closed_on:
affected_version_id:
27
ステータス-->[Closed]
引用

説明

I'd like to have the opinion of some of you about the following thing :

  • if you save a custom query on issues, and mark it as public, everyone who can view issues can see it in the sidebar, and it's... public
  • if you don't mark it as public, it's not really private since everyone can access it knowing the URL (increment the ID is a simple way to do that..)

I could understand both position about this tiny defect :

  • it may be useful for managers who don't want to display a lot of queries in the sidebar, but want to have some shortcuts for them or their project members
  • it could be considered as a confidentiality break and be made strictly private to the user who created the custom query

Thanks for any though about this.

journals

Confidentiality is a more critical concern than UI.

UI issue should be resolved via css / improved user control hack.

--------------------------------------------------------------------------------
Etienne Massip wrote:
> Confidentiality is a more critical concern than UI.

Well, given that if you can run other's queries, you still won't be able to see tickets you're not supposed to see, there's little security concerns to be raised.

However, if that reveals the query title, this might be potentially an inconvenience (e.g. project manager using some strong language in the query title while he believes it is never going to be public ;)

Anyway, there should be a way to check if a private query is run by someone who's not supposed to run it and simply deny access.

My 2 cents.

--------------------------------------------------------------------------------
It's more like a principle, a private object should not be visible to someone else than its owner.

Alex Shulgin wrote:
> Anyway, there should be a way to check if a private query is run by someone who's not supposed to run it and simply deny access.

Very easy, indeed, the query belongs explicitly to the user =)

--------------------------------------------------------------------------------
Fixed in r6163.
--------------------------------------------------------------------------------
Merged in 1.2-stable.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

related_issues

duplicates,Closed,8946,Permissions for saving queries

操作
リンクをコピー
 #1

Admin Redmine さんがほぼ2年前に更新

  • カテゴリIssues_2 にセット
  • 対象バージョン1.2.1_35 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org