Messages

1

Older versions / Re: [1.5.3] Workspace permissions security hole

« on: October 10, 2009, 11:11:12 pm »

I didn't mean they could create a task in "All".  When the current workspace is "all" they can begin to create a new task, then use the "workspace" option to change to a workspace that is read-only.  Then when they create the task it saves inside the read-only workspace.

However, if the current workspace is the read-only one, the "new task" option reports a permission error (as expected).

2

Older versions / [1.5.3] Workspace permissions security hole

« on: October 06, 2009, 06:14:10 pm »

I tried making a new user group, and giving it read-only access to all workspaces (except one, for depositing requests).

Then, logged in as a user of that group, if I choose a read-only workspace, I cannot create tasks by pressing "new task" in the task view of those workspaces, as expected.

But if my current workspace is "All", I'm allowed to create a new task, and within the Workspace link, can change the workspace to one of the ones to which I only have read access.  Then I can create the task.

So to recap, I can create a task in a read-only workspace by clicking New Task in "All" workspaces and changing the task's workspace to the read-only one.

The read-only workspaces shouldn't appear in the task's workspace dropdown, right?