#572: Apply permission checks to default Dashboard widgets -----------------------+-------------------- Reporter: astaric | Owner: nobody Type: defect | Status: new Priority: major | Milestone: Component: dashboard | Version: Keywords: | -----------------------+-------------------- Global Dashboard currently displays widgets that display product data, but do not check product specific permissions. If user has TICKET_VIEW permission in global context, he can see unfiltered lists of products and product tickets.
The following steps can be used to reproduce the problems: Create two products with some tickets (DEMO and MNP). Grant anonymous *_VIEW on global, but no product specific permissions. With this setup, anonymous can access global Dashboard, where it sees all the tickets and all the products. He cannot access product specific dashboards (no PRODUCT_VIEW permission). Links to products/tickets in the global dashboard also redirect to login. If anonymous is grantet additional PRODUCT_VIEW permission for both products, he can access the dashboards, but ticket and timeline widgets crash (no TICKET_VIEW permissions). trac:TracFineGrainedPermissions should also be included in permission check. -- Ticket URL: <https://issues.apache.org/bloodhound/ticket/572> Apache Bloodhound <https://issues.apache.org/bloodhound/> The Apache Bloodhound issue tracker