#8335 Generic search doesn't do permission checks

v1.12.0
closed
security (31)
General
nobody
2019-10-07
2019-10-01
No

The search tool for project-wide search or generic tool searching (not specialized search handlers like ticket search) doesn't do permission checks and may expose some snippets of information.

Discussion

  • Dave Brondsema

    Dave Brondsema - 2019-10-01
    • status: in-progress --> review
     
  • Dave Brondsema

    Dave Brondsema - 2019-10-01

    Fixed on db/8335

    QA:
    Test various scenarios such as private artifact (like ticket), comments on private artifacts, private tools. Project wide search like /p/test/search is best place to test, but also spot-check generic search on any non-ticket tool like /p/test/wiki/search

     
  • Kenton Taylor

    Kenton Taylor - 2019-10-01
    • status: review --> closed
     
  • Dave Brondsema

    Dave Brondsema - 2019-10-04
    • Milestone: unreleased --> v1.12.0
     
  • Dave Brondsema

    Dave Brondsema - 2019-10-07
    • private: Yes --> No
     

Log in to post a comment.