context leaks data user has no access to - Githubissues

ftobler commented 10 months ago

Summary

ViewCustomize.context.project.customFields leaks custom field values which the user does not have access to.

Description

ViewCustomize.context.project.customFields contains all defined custom fields for this project. It contains them even if the user does not have access to them. Access is defined for custom fields in administration->custom fields->project->visible:"to these roles only". The equivalent Redmine API request to /projects/[id].json does filter the fields access correctly.

I am no Ruby programmer nor do I have a Redmine instance to quickly test what I am saying, but I suspect a potential fix might be: in view_hook.rb:144 change project.custom_field_values.. to project.visible_custom_field_values()... This is based on the existence of Redmines function def visible_custom_field_values(user = nil) in project.rb:1001.

Environment

View customize plugin version 3.4.1
Redmine version 5.0.3.stable
Ruby version 2.7.4-p191 (2021-07-07) [x86_64-linux-gnu]
Rails version 6.1.7
Installed other plugins

ftobler commented 10 months ago

We were able to successfully test a fix. #120

onozaty commented 10 months ago

Thank you very much. I would like to review the contents, add the test and then merge it.

onozaty commented 9 months ago

Released at v3.5.1

Thanks.

onozaty / redmine-view-customize

context leaks data user has no access to #119

Summary

Description

Environment