Defect #1613

Search results shown for commits in projects that a user doesn't have access to

Added by Steven Frank about 12 years ago. Updated almost 11 years ago.

Status:ClosedStart date:2008-07-09
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Search engine
Target version:-
Resolution:Fixed Affected version:

Description

I have several users set up to only be able to access ONE project's Issues, News, and Messages.

Logged in as one of those users, I do an arbitrary search.

From that SEARCH RESULTS page, if you change the pop up to ALL PROJECTS, and immediately re-submit the same search, the checkboxes for other types of searches suddenly appear (documents, changesets, wiki pages, projects).

If you then checkmark all of those boxes, you can do a search that will match commit messages in projects the user shouldn't have access to. You get a permission denied error if you actually try to click through to one, but the full commit message is shown in the search results anyway.

I'm not sure which version of Redmine I have, but I just updated it from Subversion (r1648)

Associated revisions

Revision 1649
Added by Jean-Philippe Lang about 12 years ago

Fixed: search engine may reveal private projects (#1613).

History

#1 Updated by Jean-Philippe Lang about 12 years ago

  • Status changed from New to Resolved
  • Affected version (unused) set to devel
  • Resolution set to Fixed

This should be fixed in r1649.
Can you confirm ? Thanks.

#2 Updated by Steven Frank about 12 years ago

Updated to r1651. Commits for inaccessible projects are no longer matched by the search. Thanks!

The extra checkboxes for search scope still appear when the search is submitted a second time. At this point it's basically just a cosmetic issue, so I leave it to you to decide if it warrants fixing.

#3 Updated by Mischa The Evil almost 11 years ago

  • Status changed from Resolved to Closed

Steven Frank wrote:

Updated to r1651. Commits for inaccessible projects are no longer matched by the search. Thanks!

This confirms that the initial issue's subject has been solved [sic] I'll close this issue with resolution fixed.

Steven Frank wrote:

The extra checkboxes for search scope still appear when the search is submitted a second time. At this point it's basically just a cosmetic issue, so I leave it to you to decide if it warrants fixing.

This is indeed another thing. It should be filed as a dedicated issue of the tracker-type feature of the category "UI" if there's still a need for such a feature. I'll leave it to the inital author of the issue to take appropriate actions ;)

Also available in: Atom PDF