Defect #15613

'Add watchers' within the new issue reveals all the accounts

Added by David Hrbáč almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues permissions
Target version:-
Resolution:Duplicate Affected version:2.3.2

Description

Hi,

'Add watchers' within the new issue reveals all the Redmine accounts, not only the project accounts. We consider it as a security issues and we had to remove the link from issue page.

Version:
We are using Redmine 2.3.2.stable

Expected behavior:
Redmine should list only the accounts available to the logged user.

Thanks,
David Hrbáč


Related issues

Duplicates Redmine - Defect #15123: "Add watcher" leaks all active users Closed

History

#1 Updated by Toshi MARUYAMA almost 4 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Duplicate with #15123.

#2 Updated by Toshi MARUYAMA almost 4 years ago

  • Duplicates Defect #15123: "Add watcher" leaks all active users added

Also available in: Atom PDF