Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #12361: Private bug visibility leak in my_view/view_all_bug_page
In the My View / View Issues screens, private bugs in public projects (and probably private projects too) appear to ignore the private_bug_threshold value of their project unless you select it. When some projects have tighter security on viewing private bugs than others, this creates a situation where a user who should not be able to see a bug can still discover its existence in My View and View Issues. Viewing it fails with 'access denied', but if the summary had confidential information in it then the security leak has already happened. I don't consider giving All Projects the tighter security to be a usable workaround, because then you can't find bugs in the projects that use normal security for private bugs, until you select one of them, but then you can only see the subproject hierarchy you just went into. Steps to reproduce: ------ On a fresh 1.2.2 install try this: Create a public project. In the project, edit thresholds so that you need manager to view private bugs. Submit a private bug to that project. Login as a different user with global access of developer. View All Projects. You can see the bug in MyView / ViewIssues but then when you click on it you get an Access Denied screen. If you select the bug's project, then it correctly disappears. ------ Signed-off-by: David Hicks <d@hx.id.au>
- Loading branch information