Defect #27804

Restriction of user visibility isn't working with internal authentication

Added by Philip Heise about 1 month ago. Updated 9 days ago.

Status:Needs feedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution: Affected version:3.3.1

Description

Hi,

I'm using Redmine 3.3.1 (Debian Stretch). I have two authentication methods configured: internal and LDAP. In the Settings I use the following settings:
- User visibility: Members of visible projects
- Member management: All Roles
- Permissions: Manager members

I dicovered that the restriction to view only members of visible projects (in every project's members configruration) only works for users with LDAP authentication. If a user account uses the internal authentication it can view the list of all redmine user accounts.

show-user.png (14.9 KB) Toshi MARUYAMA, 2018-01-13 18:35

History

#1 Updated by Toshi MARUYAMA 9 days ago

  • File show-user.png added
  • Status changed from New to Needs feedback

I cannot reproduce on vanilla Redmine 3.3.5.
I got 404 on both of internal and ldap.

Philip Heise wrote:

If a user account uses the internal authentication it can view the list of all redmine user accounts.

Which form is the list?

Also available in: Atom PDF