Defect #4501

URL-mangling provides data not reachable through UI

Added by Mischa The Evil almost 8 years ago. Updated over 7 years ago.

Status:ClosedStart date:2009-12-29
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues
Target version:-
Resolution:Invalid Affected version:

Description

I noticed that with some URL-mangling it is possible to gather information which is not "un-locked" by the Redmine UI. E.g. the following URL gives me Eric Davis' watch-list:

http://www.redmine.org/issues?set_filter=1&sort=updated_on:desc&watcher_id=5

Although pretty unharmful, it might be unwanted behaviour.


Related issues

Related to Redmine - Feature #8160: Extend watched_by_me-issue filter to include all project-... New

History

#1 Updated by Felix Schäfer over 7 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

I don't think it is because you will still only see issues you have the right to see, I don't think information you can't get to with the normal UI is so sensitive that it needs to be filtered out.

Also available in: Atom PDF