Defect #15613
'Add watchers' within the new issue reveals all the accounts
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | Issues permissions | |||
Target version: | - | |||
Resolution: | Duplicate | Affected version: | 2.3.2 |
Description
Hi,
'Add watchers' within the new issue reveals all the Redmine accounts, not only the project accounts. We consider it as a security issues and we had to remove the link from issue page.
Version:
We are using Redmine 2.3.2.stable
Expected behavior:
Redmine should list only the accounts available to the logged user.
Thanks,
David Hrbáč
Related issues
History
#1
Updated by Toshi MARUYAMA over 8 years ago
- Status changed from New to Closed
- Resolution set to Duplicate
Duplicate with #15123.
#2
Updated by Toshi MARUYAMA over 8 years ago
- Duplicates Defect #15123: "Add watcher" leaks all active users added