- Make sure you are logged out
- Got to the search page /search/
- Search for "test"
Some of the result links will be for a private project. The links themselves will fail with 403, but still those should not show up there
Discussion
-
Rui Ferreira
2013-04-04A quick update on this. The search page was showing results for private projects (as well as deleted projects), I've changed the search method so that:
- results inside a private project will only show up if the user has the "read" permission for that project
- results for deleted projects will not show up
Still this is not completely solved. It is (probably) still possible for a user with "read" permissions for a project to see private results within that project, e.g. a private ticket inside a public project might still show up.
-
Rui Ferreira
2013-04-23Case and point, http://opensourceprojects.eu/search/?q=roll
-
Carla Leite
2013-04-23- labels: --> search
- assigned_to: Rui Ferreira
Last edit: Carla Leite 2013-04-23
-
João Paulo Barraca
2013-05-08"Still this is not completely solved. It is (probably) still possible for a user with "read" permissions for a project to see private results within that project, e.g. a private ticket inside a public project might still show up."
Is this a problem? If the user has read permissions, the results are expected to be returned. Even if the ticket is private.
-
Rui Ferreira
2013-05-09These results are returned even when you don't have read permissions.
The problem is minimal in terms of security because when the user actually opens the link he gets a 403. But it is still annoying for a large amount of results (e.g. site-wide search).
-
Rui Ferreira
2013-05-22- milestone: 1.0 --> 1.1
-
Rui Ferreira
2014-03-12- milestone: 1.1 --> None