Details
-
Bug
-
Resolution: Fixed
-
Highest
-
2.6.1 Pro, 2.6.1 Enterprise
-
Redhat Linux 9.0, JIRA 2.6.1 Enterprise, IE 6.0.2800, MySQL (Not sure of what version)
-
2.06
-
Description
We have been having various, not consistently reproducible errors all to do with security.
First, if you login in correctly. If you mistype the password, the error screen comes up all scrambled. This is not reproducible on demand. Refreshing the screen (F5) causes the screen to be come more and more clear on each attempt. The scrambled is visible HTML code on the page. See the screenshot(s) I am attaching. The screen does not always look exactly like this, but are similar in the fact that HTML code is visible to the user.
Second, when users are created the admin is forced to enter the username as all lower case, which is good. However, when the user logs in, if they enter the correct name, but with some or all upper case then the user seems to be logged in, but they cannot see the project list or anything. It should have instead, rejected their login attempt. See my attachment for an example.
Third, the most dangerous... We have a permission scheme setup to that has Administer Projects permission for a group. If a member of that groups logs in, they can then administer that projects components and versions to which that permission scheme is attached, which is good and the behavior I expect. However, there is an "Add Project" link available to this user... why? they can't do that. When it is clicked on, the user is the forced to log in again... no matter how many tries they try to login they cannot, usually. HOWEVER, we have had one instance where when the user attempted to login, they got to a mangled screen (similar to the first problem) but on that screen, was an issue list of issues not in a project that that user has access to! This is not good. I can't reproduce it again no matter how many times I have tried, but it's was very scary to see. We set up groups and permission schemes to keep people out of project they have no business being in, but this problem caused a user to get to somewhere where he should not have.
Attachments
Issue Links
- is duplicated by
-
JRASERVER-4723 Unauthorized access to issues possible!
- Closed
-
JRASERVER-7476 NPE out of issuenotfound.jsp
- Closed