Vote #78979
完了Information leak on roadmap and versions view
0%
説明
When limiting a role's permission to only access "Issues created by or assigned to the user", the roadmap (@/projects/:identifier/roadmap@) and version details (@versions/:id@) view leaks information about inaccessible issues and time estimations. Due to missing permission checks in Version#fixed_issues the restricted user may see the overall number of issues, their status, tracker, author, category, and time estimations.
We think, this a security-relevant information leak and it should be fixed and announced responsibly. Attached you may find a proposed patch which includes tests and a fix.
The attached patch changes the Version model, so that the calculation methods (@closed_issues_count@, @open_issues_count@, etc) are now also available on the @fixed_issues@ relation proxy object. In a second step, all relevant places, where those calcuation methods are used, are updated to include the @visible@ scope. This fixes the roadmap view, the version details view and the version summary in the Gantt chart.
This bug was reported by a "Planio":https://plan.io/redmine-hosting user, the patch series was developed by Gregor Schmidt.
journals
I've committed the patch serie, thanks.
This issue was already reported long time ago and it was chosen not to change the behaviour (see #15258). With this change, different users might now see different progress values for the same version and this can be confusing. I think we should add a message for when there are issues assigned to the version that are not visible to the user, for example:
* When all issues are visible: no change
* When there are no visible issues but other issues exist: "No visible issues for this version" (instead of "No issues for this version")
* When there are visible issues and other issues exist: "Some issues assigned to this version are not visible and not taken into account" (message added)
* When there are no issues: no change ("No issues for this version")
What do you think? IMO, it's important to let the user know that are other (not visible) issues that are assigned to the version.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Also reported in #9411 and #15248
--------------------------------------------------------------------------------
Thank you for your feedback. Here's what Gregor said:
> I agree. It may be confusing, that two users may see different roadmaps. On the other hand, the same is true for issue lists, Gantt charts and many other views. This would be the first place, where a special note about invisible elements is added. It feels like a paradigm shift to me.
>
> I don't want to argue against that change. I merely want to be sure, that it's done without proper thought.
--------------------------------------------------------------------------------
How about #19187 and #19059?
Marius provides test case in #19187#note-4.
--------------------------------------------------------------------------------
This issue should appear in the changelog. Setting target version to 4.0.0.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
related_issues
relates,Closed,15258,Roadmap Issue Count off
duplicates,Closed,19187,Roadmap links in subproject
duplicates,Closed,19059,Wrong number of issues for a version in the roadmap