#572: Apply permission checks to default Dashboard widgets
-----------------------+--------------------
Reporter: astaric | Owner: nobody
Type: defect | Status: new
Priority: major | Milestone:
Component: dashboard | Version:
Keywords: |
-----------------------+--------------------
Global Dashboard currently displays widgets that display product data, but
do not check product specific permissions. If user has TICKET_VIEW
permission in global context, he can see unfiltered lists of products and
product tickets.
The following steps can be used to reproduce the problems:
Create two products with some tickets (DEMO and MNP). Grant anonymous
*_VIEW on global, but no product specific permissions.
With this setup, anonymous can access global Dashboard, where it sees
all the tickets and all the products. He cannot access product
specific dashboards (no PRODUCT_VIEW permission). Links to
products/tickets in the global dashboard also redirect to login.
If anonymous is grantet additional PRODUCT_VIEW permission for both
products, he can access the dashboards, but ticket and timeline widgets
crash (no TICKET_VIEW permissions).
trac:TracFineGrainedPermissions should also be included in permission
check.
--
Ticket URL: <https://issues.apache.org/bloodhound/ticket/572>
Apache Bloodhound <https://issues.apache.org/bloodhound/>
The Apache Bloodhound issue tracker
