Security Loophole with Queries

If you are having a problem using Fortress, post a message here.

Moderator: SourceGear

Post Reply
BrokenBokken
Posts: 5
Joined: Fri Jul 25, 2008 1:25 pm

Security Loophole with Queries

Post by BrokenBokken » Fri Aug 01, 2008 12:21 pm

Our team wanted to be able to share useful queries, so we decided to see if other users could get to a user's query if they have the url.

User A is the owner of the query. He sent a link to User B to the query. User B clicks the link, can see the query, and decides to rename it. User A suddenly sees that his query has been renamed.

The system makes queries user specific, but does not protect them from being modified by other users.

On a side note, it would be nice to have a way to share queries across the team (make them accessible to anyone who has access to the project)

If you need any more info, let me know.
Broken Bokken

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Re: Security Loophole with Queries

Post by lbauer » Mon Aug 04, 2008 2:21 pm

I was able to reproduce this.

A user shouldn't see query results or rename a query for a project he or she has no access to. I'll log it as a bug.

Thanks for the report.

Post Reply