Defect #27804

Restriction of user visibility isn't working with internal authentication

Added by Philip Heise about 1 year ago. Updated 11 months ago.

Status:Needs feedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution: Affected version:3.3.1

Description

Hi,

I'm using Redmine 3.3.1 (Debian Stretch). I have two authentication methods configured: internal and LDAP. In the Settings I use the following settings:
- User visibility: Members of visible projects
- Member management: All Roles
- Permissions: Manager members

I dicovered that the restriction to view only members of visible projects (in every project's members configruration) only works for users with LDAP authentication. If a user account uses the internal authentication it can view the list of all redmine user accounts.

show-user.png (14.9 KB) Toshi MARUYAMA, 2018-01-13 18:35

foto.png (51.2 KB) Philip Heise, 2018-02-14 19:57

History

#1 Updated by Toshi MARUYAMA about 1 year ago

  • File show-user.png added
  • Status changed from New to Needs feedback

I cannot reproduce on vanilla Redmine 3.3.5.
I got 404 on both of internal and ldap.

Philip Heise wrote:

If a user account uses the internal authentication it can view the list of all redmine user accounts.

Which form is the list?

#2 Updated by Philip Heise 11 months ago

Which form is the list?

It's the user select dialog that opens when you want to add new users in the project's configuration.

Also available in: Atom PDF