Redmine

Hi!

As I encountered security problems when using "extended_watchers_plugin" due to behavior of other plugins, I investigated on the permission setting with the ticket visibility "only issues created by or assigned".

We are on Redmine 3.3.0 and I found the following problem I would like to discuss here before post as a defect:

My user with the permissions "only issues created by or assigned" shows the following behavior when accessing tickets:

• ticket statistics on project overview: OK (just showing tickets where user is author or assignee)
• ticket lists and filtered lists: OK (just showing tickets where user is author or assignee)
• direct access to invisible ticket via entering ticket ID in searchfield: OK (ticket not found)
• direct ticket access via URI: not OK: if the user knows the issue ID, the user can break security within the given project and access those tickets simply by entering the corresponding URI, e.g. "https://redmine.mycompany.at/issues/4401
  • so a ticket of the current project is accessible although the user should have restricted access.

To the community: can you confirm this behavior/security leak?
Then this should be logged as defect.

Thanks a lot

Immanuel.