search

berti92 / mega_calendar

Plugin for redmine: Brings a better calendar and more opportunities to display issues and holidays
http://www.devbert.de/index.php/en/project/megacalendar/
MIT License
70 stars 52 forks source link

Remove login requirement for export #124

Closed JiriValasek closed 1 month ago

JiriValasek commented 1 month ago

Inherited check_if_login_required denied export with only API key authentication and force redirected to login. This was making it unusable for web calendar import in M365 Exchange, Google calendar etc.

berti92 commented 1 month ago

Thank you very much for your PR. Sadly, I can't merge this because the skipping of the login brings a security issue. This means, everyone can export all of the issues as .ics.

JiriValasek commented 1 month ago

There is still your authentication through API key or login. So any user can export issues as ics, but not everyone.

Could you explain the security issue a bit more please?

berti92 commented 1 month ago

With the except keyword you tell redmine, that no login will be required for this method. This means everyone who is able to reach your redmine can also download the ics, which includes all issues as ics. You wrote you are using v 1.5.0 please try the latest version, I think what you want to achieve is already possible.

JiriValasek commented 1 month ago

The except does not exclude :check_plugin_right, which checks login or API keys. It's more of a forced override then circumvention.

Regarding the version, I switched to the latest afterwards, but it did not help.

berti92 commented 1 month ago

Regarding the version, I switched to the latest afterwards, but it did not help.

If you enabled the REST API and you paste the URL /calendar/export?key= in the browser, than it's a bug. Please provide Screenshots of the error and I have a look again.