Show Posts
1
Older versions / [1.5.3] Workspace permissions security hole
« on: October 06, 2009, 06:14:10 pm »
I tried making a new user group, and giving it read-only access to all workspaces (except one, for depositing requests).
Then, logged in as a user of that group, if I choose a read-only workspace, I cannot create tasks by pressing "new task" in the task view of those workspaces, as expected.
But if my current workspace is "All", I'm allowed to create a new task, and within the Workspace link, can change the workspace to one of the ones to which I only have read access. Then I can create the task.
So to recap, I can create a task in a read-only workspace by clicking New Task in "All" workspaces and changing the task's workspace to the read-only one.
The read-only workspaces shouldn't appear in the task's workspace dropdown, right?
Then, logged in as a user of that group, if I choose a read-only workspace, I cannot create tasks by pressing "new task" in the task view of those workspaces, as expected.
But if my current workspace is "All", I'm allowed to create a new task, and within the Workspace link, can change the workspace to one of the ones to which I only have read access. Then I can create the task.
So to recap, I can create a task in a read-only workspace by clicking New Task in "All" workspaces and changing the task's workspace to the read-only one.
The read-only workspaces shouldn't appear in the task's workspace dropdown, right?