View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000717JEDI VCSServerpublic2003-02-17 14:382007-01-25 08:14
ReporterUSchusterAssigned To 
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionopen 
Product Version2.40 RC1 (Client) 
Target VersionFixed in Version 
Summary0000717: Securityproblem in GET_PROJECT_GROUP_INFORMATION
DescriptionIt is possible to execute GET_PROJECT_GROUP_INFORMATION with an Guestaccount although read only access is necessary.

Steps to reproduce it:
- create an Guestaccount
- grant at least a read only access to one project
- login as the Guest
- open the projecttree (Menu:ProjectOpen)
  (now you will see no projectgroups - all projects are under <Unassigned Projects>)
- open the project with the read only access
- open the projecttree again
  (now you will see projectgroups)
Additional InformationGET_PROJECT_GROUP_INFORMATION uses GetProjectRelatedRight to check the rights - GetArchiveRelatedRight should be used there?

This problem could also exist in other functions.
TagsNo tags attached.
Fix in JVCS version2.40 Final (Client)
Releasedocumentation

Relationships

has duplicate 0000996 closedUSchuster Projects hierarchy is not accessible for Guest user, until available project is opened. 
has duplicate 0001010 closedUSchuster Add ability to revoke read-only access from specific user 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2005-06-14 04:32 THuber Fix in JVCS version => 2.50
2005-12-29 13:23 THuber Fix in JVCS version 2.50 => 2.40 Final (Client)
2005-12-29 13:23 THuber Product Version 2.40 (First JVCS release) => 2.40 RC1 (Client)
2005-12-29 13:31 THuber Relationship added child of 0002377
2006-01-01 07:06 USchuster Relationship deleted child of 0002377
2007-01-25 02:03 anonymous Note Added: 0010588
2007-01-25 08:14 anonymous Note Added: 0010656