action #18594
closed[tools][sprint 201712.1][bonus] Worker page is accessible without logging in
0%
Description
If an unauthenticated user tries to navigate to one of the worker details page, he can see all the details.
At least he can't modify any of the jobs, but still, while it's not a security issue, i don't think that it should be available for the public, or at least not under /admin (in case we want to allow the public to access this page)
Updated by okurz about 7 years ago
We recently changed the behaviour to make more pages accessible to non-admin users. I don't think that it is a problem to have the page available under "/admin/" because "admin" says it's intended for administration, not that you need to be an admin.
Updated by coolo over 6 years ago
- Target version set to Ready
indeed - the JOBTOKEN might be a 'leak' though.
Hiding it for non-admins sounds like a nice entrance level issue though
Updated by mitiao over 6 years ago
- Status changed from New to In Progress
- Target version changed from Ready to Current Sprint
first try seems a wrong direction to change worker route with auth...
focus on 'hiding'...
Updated by szarate over 6 years ago
- Subject changed from Worker page is accessible without logging in to [tools][bonus] Worker page is accessible without logging in
Updated by okurz over 6 years ago
wait. I remember that originally mkittler developed based on my request that these pages are accessible so that anyone can check read-only the status of workers. Hiding the page completely should not be the way to go.
Updated by coolo over 6 years ago
just for the record: we're talking about hiding details on the page - not the page itself.
Updated by szarate over 6 years ago
- Subject changed from [tools][bonus] Worker page is accessible without logging in to [tools][sprint 201712.1][bonus] Worker page is accessible without logging in
- Target version changed from Current Sprint to Milestone 12