Details
-
Bug
-
Resolution: Answered
-
Medium
-
3.8.0
-
Severity 2 - Major
-
Description
Both crucible comment search (ie CONTEXT/cru/commentSearch) and general search (ie CONTEXT/cru/search) have permission checking incorporated into the hibernate query, but the way they do it can exclude valid results. They generate a list of projects that the user can see and restrict the search results to those projects, but that ignores permissions schemes which also allow viewing by role — for example, if a person can't normally view a project but if they're added as a reviewer to a review in that project they can see that review.