View Issue Details

IDProjectCategoryView StatusLast Update
0003619SOGoWeb Calendarpublic2016-04-06 16:06
Reportermoserhans Assigned Toludovic  
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.3.0 
Fixed in Version3.1.0 
Summary0003619: searching the full text of events exposes hidden data
Description

if I subscribe to another calendar, where my rights are "see Date and Time" and then searches in the WebGUI for something in the full text of the events, then there are positive results shown, even though I cannot see the actual text!

Steps To Reproduce
  • user a: create calendar
  • set rights to calendar for user b to only see date and time
  • create event with "bem" in summary (and category?)
  • user b: subscribe to the new calendar of user a
  • search in the WebGUI for "bem" in the full text of the events
  • the created event is found as positive result, even though user a cannnot
    see why.
Additional Information

This exposes data which should not be exposed.

No events should have been found (searchable) as positive results by the search.

TagsNo tags attached.

Activities

ludovic

ludovic

2016-04-06 16:06

administrator   ~0009934

Fixed in upcoming 3.0.3 release.

Related Changesets

sogo: master 2404f4bb

2016-04-06 16:05:03

ludovic

Details Diff
(fix) avoid return search results on objects without read permissions (fixes 0003619) Affected Issues
0003619
mod - NEWS Diff File
mod - UI/Scheduler/UIxCalListingActions.m Diff File

Issue History

Date Modified Username Field Change
2016-04-06 12:05 moserhans New Issue
2016-04-06 16:06 ludovic Changeset attached => sogo master 2404f4bb
2016-04-06 16:06 ludovic Assigned To => ludovic
2016-04-06 16:06 ludovic Resolution open => fixed
2016-04-06 16:06 ludovic Note Added: 0009934
2016-04-06 16:06 ludovic Status new => resolved
2016-04-06 16:06 ludovic Fixed in Version => 3.1.0