Our team wanted to be able to share useful queries, so we decided to see if other users could get to a user's query if they have the url.
User A is the owner of the query. He sent a link to User B to the query. User B clicks the link, can see the query, and decides to rename it. User A suddenly sees that his query has been renamed.
The system makes queries user specific, but does not protect them from being modified by other users.
On a side note, it would be nice to have a way to share queries across the team (make them accessible to anyone who has access to the project)
If you need any more info, let me know.
Security Loophole with Queries
Moderator: SourceGear
-
BrokenBokken
- Posts: 5
- Joined: Fri Jul 25, 2008 1:25 pm
Security Loophole with Queries
Broken Bokken
Re: Security Loophole with Queries
I was able to reproduce this.
A user shouldn't see query results or rename a query for a project he or she has no access to. I'll log it as a bug.
Thanks for the report.
A user shouldn't see query results or rename a query for a project he or she has no access to. I'll log it as a bug.
Thanks for the report.