Details
-
Bug
-
Resolution: Fixed
-
High
-
5.1.2x
-
1
-
Severity 3 - Minor
-
Description
The event of calendar creation is viewable at Activity even by users who are restricted. Hence, users have to be careful not to describe sensitive information on the name of calendars.
This is how I reproduced:
- Install Confluence 5.6.6
- Install Team Calendar 5.1.21 addon
- Create two confluence-users - user1 and user2
- Login as user1 and:
- create a calendar - "User1's Calendar"
- Give viewing restrict only to user1
- Login as user2 and:
- Go to People Directory and choose user1
- user2 can see the activity that "User1's Calendar" was created though user2 cannot view the calendar (See also the attached ActivityStream.jpg)