Defect #15789

Users can see all groups when adding a filter "Assignee's Group"

Added by Pierre Maigne over 4 years ago. Updated over 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Permissions and roles
Target version:3.0.0
Resolution:Fixed Affected version:2.4.2

Description

Hello,

I'm going to quote Djordjije who perfectly explained the problem in issue #11724, note 13 (even if issue #11724 has nothing to do with this current issue).

Djordjije Crni wrote:

User can see the names of all groups on Redmine, by selecting issue filter by "Assignee's group"!
This happens even if issue assignment to groups isn't allowed.
I've expected to see only the names of those groups which are assigned to that project in the filter list.
And guess what, almost all group names (in my case) are constructed from two parts: project role and project name. Very original idea, isn't it?
In this case, customer can easily guess names of all projects, which is not acceptible at all.
It seems that current Redmine user/group permission model can't provide reliable customer/project isolation.
"Workaround" could be to give meaningless names to groups, and even better, give meaningless names to projects also?

We have the same issue. We create a group for each customer who is accessing Redmine, and the group name is the customer name. This way, any customer can access our whole customer list.

Thanks in advance for your feedback.

0001-redmine-issue-15789.patch Magnifier - disable issues filter by group (1.14 KB) Rafał Lisowski, 2014-05-19 11:09


Related issues

Related to Redmine - Feature #11724: Prevent users from seeing other users based on their proj... Closed

History

#1 Updated by Mischa The Evil over 4 years ago

  • Related to Feature #11724: Prevent users from seeing other users based on their project membership added

#2 Updated by Markus Peter over 4 years ago

A solution would be to only list groups which are linked to a role in the current project.

In our case (a group for each client), this would effectively prevent our clients from seeing each other.
We now have to link all client users directly to their projects in order to bypass the creation of a group.

#3 Updated by Rafał Lisowski about 4 years ago

I just disabled filter by group. No one use it at my company so it was the easiest way to prevent data leakage.
I don't have time now to impelement Marcus Peter solution: "only list groups which are linked to a role in the current project".

#4 Updated by Jean-Philippe Lang over 3 years ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Target version set to 3.0.0
  • Resolution set to Fixed

Fixed by r13584. Depending on Users visibility setting on roles, the group filter will list groups linked to visible projects only.

Also available in: Atom PDF