Message3594
IMO this is a serious hole that any useful tracker should fix ASAP.
It's not a problem with the 'private' wording, one User can steal
queries from other Users and even from Admin.
It's not a template issue either: you can mess with anyone else's
queries, something SearchAction blocks but EditCSVAction doesn't.
Pranksters can change the Query URL to something lighthearted, like
"@error_message=No Issues in this Tracker&@ok_message=Tracker Deleted
Successfully <br> <br> <br> <br> <br>"...
Attached patch is a stopgap fix, feedback welcome. |
|
Date |
User |
Action |
Args |
2009-02-25 22:37:04 | ajaksu2 | set | messageid: <1235601424.9.0.367847634178.issue1442835@psf.upfronthosting.co.za> |
2009-02-25 22:37:04 | ajaksu2 | set | recipients:
+ ajaksu2, richard, rouilj, jpend, arno- |
2009-02-25 22:37:04 | ajaksu2 | link | issue1442835 messages |
2009-02-25 22:37:04 | ajaksu2 | create | |
|