Defect #4501

URL-mangling provides data not reachable through UI

Added by Mischa The Evil about 13 years ago. Updated over 12 years ago.

Status:ClosedStart date:2009-12-29
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Resolution:Invalid Affected version:


I noticed that with some URL-mangling it is possible to gather information which is not "un-locked" by the Redmine UI. E.g. the following URL gives me Eric Davis' watch-list:

Although pretty unharmful, it might be unwanted behaviour.


#1 Updated by Felix Schäfer over 12 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

I don't think it is because you will still only see issues you have the right to see, I don't think information you can't get to with the normal UI is so sensitive that it needs to be filtered out.

#2 Updated by Marius BALTEANU over 4 years ago

  • Related to deleted (Feature #8160: Extend watched_by_me-issue filter to include all project-members instead of only <<me>>-substitution)

Also available in: Atom PDF