Message5184
Roundup provides the ability to manage access to each of a classes
properties (ie. View, Edit, etc.). For properties that users do not have
View permissions for the current value of a property will be displayed
as '[hidden]' in the node journal/history. The problem is that
older/previous values for the same property are not sanitised at all, so
users can view information that they probably should not be able to.
example:
Date User Action Args
2015-01-12 02:27:11 user1 set secure_prop: Old Value2 -> [hidden]
2015-01-12 02:26:48 user1 set secure_prop: Old Value -> Old Value2
2015-01-12 02:26:43 user1 set secure_prop: Old Value
Ideally the properties that users do not have View access to should
probably not appear in the journal/history at all. |
|
Date |
User |
Action |
Args |
2015-01-14 04:13:01 | jerrykan | set | recipients:
+ jerrykan |
2015-01-14 04:13:01 | jerrykan | set | messageid: <1421208781.53.0.790557709125.issue2550864@psf.upfronthosting.co.za> |
2015-01-14 04:13:01 | jerrykan | link | issue2550864 messages |
2015-01-14 04:13:00 | jerrykan | create | |
|