Anonymous Login
2018-11-12 21:37 PST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000254v1.2 Release (Closed)[All Projects] Generalpublic2009-12-08 19:07
Reportermpohoril 
Assigned Topedroa 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version 
Target VersionFixed in Version1.2 
Summary0000254: Unauthorized view of compenies and users when assigning people to a task
DescriptionSituation:

1. User1 belongs to Company1 and allowed to see all non-admin modules, except companies. user1 can only see Company1.

2. When User1 creates a new task for project (which, of course, belongs to Company1), he may only add task contacts, which belong to Company1 and Administrators (Admin roles), BUT!

3. If User1 selects an administrator for task contacts, closes selection window, ____ and then click "select contacts" again____,
HE SEES ALL THE CONTACTS, WHICH ARE AVAILABLE TO ADMINISTRATOR, and this is a security problem.
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000478

mpohoril (reporter)

Some addition to the item2 of bug description:
Administrators (Admin roles) are actually users, who do not belong to any company, but have administrative rights.

If assigned to a company, different from Company1, they cannot be selected the way described before. But this is not the resolving of the bug itself.

~0000590

caseydk (administrator)

Resolved this one in r777 by applying the proper Company and Department permissions;
+Notes

-Issue History
Date Modified Username Field Change
2009-09-12 05:14 mpohoril New Issue
2009-09-12 05:28 mpohoril Note Added: 0000478
2009-09-15 09:10 caseydk Project v1.1 Release (Closed) => v1.2 Release (Closed)
2009-09-22 09:19 pedroa Status new => assigned
2009-09-22 09:19 pedroa Assigned To => pedroa
2009-11-17 19:36 caseydk Status assigned => resolved
2009-11-17 19:36 caseydk Resolution open => fixed
2009-11-17 19:36 caseydk Note Added: 0000590
2009-12-08 19:07 caseydk Status resolved => closed
2009-12-08 19:07 caseydk Fixed in Version => 1.2
+Issue History