Project

General

Profile

Actions
Copy link

Defect #27804

open

Restriction of user visibility isn't working with internal authentication

Added by Philip Heise over 6 years ago. Updated about 6 years ago.

Status:
Needs feedback
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:
3.3.1

Description

Hi,

I'm using Redmine 3.3.1 (Debian Stretch). I have two authentication methods configured: internal and LDAP. In the Settings I use the following settings:
- User visibility: Members of visible projects
- Member management: All Roles
- Permissions: Manager members

I dicovered that the restriction to view only members of visible projects (in every project's members configruration) only works for users with LDAP authentication. If a user account uses the internal authentication it can view the list of all redmine user accounts.

Files

Download all files
show-user.png (14.9 KB) show-user.png Toshi MARUYAMA, 2018-01-13 18:35
foto.png (51.2 KB) foto.png Philip Heise, 2018-02-14 19:57
Actions
Copy link
 #1

Updated by Toshi MARUYAMA over 6 years ago

I cannot reproduce on vanilla Redmine 3.3.5.
I got 404 on both of internal and ldap.

Philip Heise wrote:

If a user account uses the internal authentication it can view the list of all redmine user accounts.

Which form is the list?

Actions
Copy link
 #2

Updated by Philip Heise about 6 years ago

Which form is the list?

It's the user select dialog that opens when you want to add new users in the project's configuration.

Actions
Copy link

Also available in: Atom PDF