Defect #4501
URL-mangling provides data not reachable through UI
| Status: | Closed | Start date: | 2009-12-29 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Issues | |||
| Target version: | - | |||
| Resolution: | Invalid | Affected version: |
Description
I noticed that with some URL-mangling it is possible to gather information which is not "un-locked" by the Redmine UI. E.g. the following URL gives me Eric Davis' watch-list:
http://www.redmine.org/issues?set_filter=1&sort=updated_on:desc&watcher_id=5
Although pretty unharmful, it might be unwanted behaviour.
History
#1
Updated by Felix Schäfer almost 9 years ago
- Status changed from New to Closed
- Resolution set to Invalid
I don't think it is because you will still only see issues you have the right to see, I don't think information you can't get to with the normal UI is so sensitive that it needs to be filtered out.
#2
Updated by Marius BALTEANU 11 months ago
- Related to deleted (Feature #8160: Extend watched_by_me-issue filter to include all project-members instead of only <<me>>-substitution)