Author Topic: [1.5.3] Workspace permissions security hole  (Read 1900 times)

salt

  • Newbie
  • *
  • Posts: 2
    • View Profile
[1.5.3] Workspace permissions security hole
« on: October 06, 2009, 06:14:10 pm »
I tried making a new user group, and giving it read-only access to all workspaces (except one, for depositing requests).

Then, logged in as a user of that group, if I choose a read-only workspace, I cannot create tasks by pressing "new task" in the task view of those workspaces, as expected.

But if my current workspace is "All", I'm allowed to create a new task, and within the Workspace link, can change the workspace to one of the ones to which I only have read access.  Then I can create the task.

So to recap, I can create a task in a read-only workspace by clicking New Task in "All" workspaces and changing the task's workspace to the read-only one.

The read-only workspaces shouldn't appear in the task's workspace dropdown, right?
« Last Edit: October 07, 2009, 07:23:55 pm by salt »

Pet

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 638
  • Always mining for solutions!
    • View Profile
    • The Bet!
Re: [1.5.3] Workspace permissions security hole
« Reply #1 on: October 10, 2009, 08:48:51 pm »
The read-only workspaces will appear in the task's workspace dropdown. i think this is by design. (Not saying it is correct, but I think it was not filtered)  But definitely should not be able to create a task in "All".
Support OpenGoo - Sponsor a Feature! | Follow me on Twitter | OG Support Chat | Did you turn debugging on?

salt

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: [1.5.3] Workspace permissions security hole
« Reply #2 on: October 10, 2009, 11:11:12 pm »
I didn't mean they could create a task in "All".  When the current workspace is "all" they can begin to create a new task, then use the "workspace" option to change to a workspace that is read-only.  Then when they create the task it saves inside the read-only workspace.

However, if the current workspace is the read-only one, the "new task" option reports a permission error (as expected).