URL-mangling provides data not reachable through UI
I noticed that with some URL-mangling it is possible to gather information which is not "un-locked" by the Redmine UI. E.g. the following URL gives me Eric Davis' watch-list:
Although pretty unharmful, it might be unwanted behaviour.
#1 Updated by Felix Schäfer over 8 years ago
- Status changed from New to Closed
- Resolution set to Invalid
I don't think it is because you will still only see issues you have the right to see, I don't think information you can't get to with the normal UI is so sensitive that it needs to be filtered out.