|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000254||v1.2 Release (Closed)||[All Projects] General||public||2009-09-12 05:14||2009-12-08 19:07|
|Target Version||Fixed in Version||1.2|
|Summary||0000254: Unauthorized view of compenies and users when assigning people to a task|
1. User1 belongs to Company1 and allowed to see all non-admin modules, except companies. user1 can only see Company1.
2. When User1 creates a new task for project (which, of course, belongs to Company1), he may only add task contacts, which belong to Company1 and Administrators (Admin roles), BUT!
3. If User1 selects an administrator for task contacts, closes selection window, ____ and then click "select contacts" again____,
HE SEES ALL THE CONTACTS, WHICH ARE AVAILABLE TO ADMINISTRATOR, and this is a security problem.
|Tags||No tags attached.|
Some addition to the item2 of bug description:
Administrators (Admin roles) are actually users, who do not belong to any company, but have administrative rights.
If assigned to a company, different from Company1, they cannot be selected the way described before. But this is not the resolving of the bug itself.
|Resolved this one in r777 by applying the proper Company and Department permissions;|
|2009-09-12 05:14||mpohoril||New Issue|
|2009-09-12 05:28||mpohoril||Note Added: 0000478|
|2009-09-15 09:10||caseydk||Project||v1.1 Release (Closed) => v1.2 Release (Closed)|
|2009-09-22 09:19||pedroa||Status||new => assigned|
|2009-09-22 09:19||pedroa||Assigned To||=> pedroa|
|2009-11-17 19:36||caseydk||Status||assigned => resolved|
|2009-11-17 19:36||caseydk||Resolution||open => fixed|
|2009-11-17 19:36||caseydk||Note Added: 0000590|
|2009-12-08 19:07||caseydk||Status||resolved => closed|
|2009-12-08 19:07||caseydk||Fixed in Version||=> 1.2|