Actions
Defect #4501
closed
URL-mangling provides data not reachable through UI
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Issues
Target version:
-
Start date:
2009-12-29
Due date:
% Done:
0%
Estimated time:
Resolution:
Invalid
Affected version:
Description
I noticed that with some URL-mangling it is possible to gather information which is not "un-locked" by the Redmine UI. E.g. the following URL gives me Eric Davis' watch-list:
http://www.redmine.org/issues?set_filter=1&sort=updated_on:desc&watcher_id=5
Although pretty unharmful, it might be unwanted behaviour.
Updated by Felix Schäfer about 15 years ago
- Status changed from New to Closed
- Resolution set to Invalid
I don't think it is because you will still only see issues you have the right to see, I don't think information you can't get to with the normal UI is so sensitive that it needs to be filtered out.
Updated by Marius BĂLTEANU about 7 years ago
- Related to deleted (Feature #8160: Extend watched_by_me-issue filter to include all project-members instead of only <<me>>-substitution)
Actions