Skip to content

Commit 94e6810

Browse files
Todd Whiteseldavidhicks
Todd Whitesel
authored and
davidhicks
committedSep 5, 2011
Fix #12361: Private bug visibility leak in my_view/view_all_bug_page
In the My View / View Issues screens, private bugs in public projects (and probably private projects too) appear to ignore the private_bug_threshold value of their project unless you select it. When some projects have tighter security on viewing private bugs than others, this creates a situation where a user who should not be able to see a bug can still discover its existence in My View and View Issues. Viewing it fails with 'access denied', but if the summary had confidential information in it then the security leak has already happened. I don't consider giving All Projects the tighter security to be a usable workaround, because then you can't find bugs in the projects that use normal security for private bugs, until you select one of them, but then you can only see the subproject hierarchy you just went into. Steps to reproduce: ------ On a fresh 1.2.2 install try this: Create a public project. In the project, edit thresholds so that you need manager to view private bugs. Submit a private bug to that project. Login as a different user with global access of developer. View All Projects. You can see the bug in MyView / ViewIssues but then when you click on it you get an Access Denied screen. If you select the bug's project, then it correctly disappears. ------ Signed-off-by: David Hicks <d@hx.id.au>
1 parent b08e9c1 commit 94e6810

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed
 

‎core/filter_api.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -1201,8 +1201,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
12011201
// this array is populated with project ids that the current user has full access to.
12021202
$t_private_and_public_project_ids = array();
12031203

1204-
$t_access_required_to_view_private_bugs = config_get( 'private_bug_threshold' );
12051204
foreach( $t_project_ids as $t_pid ) {
1205+
$t_access_required_to_view_private_bugs = config_get( 'private_bug_threshold', null, null, $t_pid );
12061206
if( access_has_project_level( $t_access_required_to_view_private_bugs, $t_pid, $t_user_id ) ) {
12071207
$t_private_and_public_project_ids[] = $t_pid;
12081208
} else {

0 commit comments

Comments
 (0)