Defect #27804

Restriction of user visibility isn't working with internal authentication

Added by Philip Heise 10 months ago. Updated 8 months ago.

Status:Needs feedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution: Affected version:3.3.1

Description

Hi,

I'm using Redmine 3.3.1 (Debian Stretch). I have two authentication methods configured: internal and LDAP. In the Settings I use the following settings:
- User visibility: Members of visible projects
- Member management: All Roles
- Permissions: Manager members

I dicovered that the restriction to view only members of visible projects (in every project's members configruration) only works for users with LDAP authentication. If a user account uses the internal authentication it can view the list of all redmine user accounts.

show-user.png (14.9 KB) Toshi MARUYAMA, 2018-01-13 18:35

foto.png (51.2 KB) Philip Heise, 2018-02-14 19:57

History

#1 Updated by Toshi MARUYAMA 9 months ago

  • File show-user.png added
  • Status changed from New to Needs feedback

I cannot reproduce on vanilla Redmine 3.3.5.
I got 404 on both of internal and ldap.

Philip Heise wrote:

If a user account uses the internal authentication it can view the list of all redmine user accounts.

Which form is the list?

#2 Updated by Philip Heise 8 months ago

Which form is the list?

It's the user select dialog that opens when you want to add new users in the project's configuration.

Also available in: Atom PDF