Add Comments -> Security Issue?!
Hi,
I'm having a weird issue. Will try to describe briefly just to see if someone can reproduce it.
I have created a user who can only view own issues and add comments. So, can not edit any fields. This is set by Security Scheme and also Field Visibility Scheme. However... When this user goes to add a Comment (clicks Comments text, not the little +), she gets access to the whole issue together with the comment box. Any value can be changed, irrespective of the Security Scheme settings or Field Visibility Scheme. Whereas, if she clicks "+" to add a Comment, the pop-up with only Comment text box appears, which is the expected behavior.
This is a huge security breach. Although Gemini will log all the actions and comments, just the option of seeing them and changing them looks like a bug.
Can someone confirm this is the case or whether I'm doing something wrong.
Best regards,
Alen
MisterY
· 1 |
|
Monday, February 22, 2010, 5:20:48 AM |