Client management: Client is able to see a hidden task

Question

Client management: Client is able to see a hidden task

Opened this issue 7 years ago · 0 comments

Hey there,

I found a problem in the Client management Addon:
Client is able to call a hidden task by knowing its full URL. There is no permission check when loading the tasks details. Hidden tasks are just hidden in the list, but thats not enough. He could find the full URL in the browsers history, network history or just accidently emailed the link.

Is anyone else having this problem?
Thanks

Tim