Project

General

Profile

Actions
Copy link

Defect #16569

closed

watchlist search displays users that are not members to the current project

Added by Hervé Brelay about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

Assuming the following:

- User1 has access to Project1 (regular developper)
- User2 has access to Project2 (regular developper)

When User1 wants to add a watcher on an issue in Project1, it gets a list of users that can be one by one selected, as well as a "search" box on top.

When typing any letter on the search box, the selectable list is refreshed, but now shows names of users that are not in the Project (i.e. typing "u" would show User2), backspace then shows the whole list of Redmine users.

This is quite un-desirable as in most installations, some projects are not public, hence their members should not show up in some other project's UI screen.

This has been found on 2.3.2.
It is still present in a test install of 2.5.0

This is quite serious as it violates privacy settings

Actions
Copy link
 #1

Updated by Toshi MARUYAMA about 11 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Duplicate with #11724.

Actions
Copy link

Also available in: Atom PDF