Feature #44261
openRestrict user mentions to project members to prevent unintended notifications to non-members
Description
Currently, the mention feature ( introduced in #13919 ) allows mentioning users who are not members of the project:
- In the auto-completion (
WatchersController#users_for_mention), when the user types@followed by some characters, the candidate list falls back toPrincipal.assignable_watchers.limit(10), which searches across ALL active users regardless of project membership. Only the initial@(empty query) case is scoped to@project.principals. - More importantly, the mention parser itself (
Redmine::Acts::Mentionable#get_mentioned_users) resolves@logintoUser.visible.activewithout any project membership check. So if a user types a login manually (without using auto-completion), a user who is not a member of the project can be mentioned and will receive a notification email containing the issue/journal/wiki content, as long as the object is visible to them (e.g. public projects, or roles withusers_visibility = "all").
This is an information-leak risk: a typo or a wrong pick from the auto-completion list can send issue contents to someone outside the project team. Restricting the users_visibility setting on roles (as often suggested as a workaround) only narrows the candidate list for non-admin users; it does not prevent case 2 above.
The attached patch changes both places so that only members of the object's project can be mentioned:
WatchersController#users_for_mention: always scope the candidates to@project.principalswhen a project is present, with or without a query string.Redmine::Acts::Mentionable#get_mentioned_users: when the mentionable object has a project, filter the mentioned users to the project's principals. Administrators are exempt from this check, consistent with the existing behavior/tests (admins can view everything anyway, so there is no leak concern, and an existing test expects an admin who is not a member to be notified for private notes).
The existing visibility check in notified_mentions (mentioned user must be able to view the object) is kept as-is; the membership check is applied in addition to it.
The patch includes regression tests for both changes:
Redmine::Acts::MentionableTest: a user who does not belong to any project is not included in mentioned_users.WatchersControllerTest:autocomplete_for_mentionwith a query does not return users outside the project.
All related tests pass (mentionable_test, watchers_controller_test, issue_test, journal_test, wiki_content_test, issues_controller_test: 883 runs, 0 failures) and RuboCop reports no offenses on the changed files.
The patch is against current trunk (c8c8b82e).
Files
Updated by Holger Just about 3 hours ago
- Description updated (diff)
This is an information-leak risk: a typo or a wrong pick from the auto-completion list can send issue contents to someone outside the project team.
Redmine only sends notifications to users who can see the issue anyways. As such, the current implementation is not an information-leak as the notified user can just navigate to the issue themselves. In fact, the user-mention feature and its offered users are modeled after the watchers feature and the offered users for mentioning are the same as when adding watchers.
So if a user types a login manually (without using auto-completion), a user who is not a member of the project can be mentioned and will receive a notification email containing the issue/journal/wiki content, as long as the object is visible to them
This is a feature to allow users to be mentioned who are not necessarily project members. As explained, this is not a security issue nor a bug. Instead, the project memberships and roles must be defined correctly to restrict object visibility to only those users who should see it. Once that is correctly configured, only those users who can view an issue are offered as watchers or notifiable users.
As explained, restricting the user visibility does not change anything about the ability of other users to view issues at all (e.g. in public projects). Restricting the list of users who can be mentioned does not restrict who can view an issue. As such, it seems that the LLM tool which you used to "write" this issue and the patch confused object visibility with user visibility.
Consequently, I'm voting against applying this patch. It does not solve the claimed issue and actively hinders valid use-cases.