Up to Discussions in Contour Support

This Question is Assumed Answered

1 "correct" answer available (4 pts) 2 "helpful" answers available (2 pts)
2 Replies Last post: Dec 17, 2007 11:10 PM by Derwyn Harris  
Eric Ford  
Eric Ford
32 posts since
Oct 10, 2007
Currently Being Moderated

Dec 15, 2007 12:39 PM

Cross project links open potential security hole

 

As a workaround for configuration control we created two projects.  The first project holds our actual items (requiremements, use cases, design components, etc) which are under configuration control.  The second project contains only change requests, categorized for each appropriate item type in the first project.  In the first project, only users in management roles have write permissions.  In the second project, users in all roles have write permissions. 

 

 

Using the relate tab, a user in the second project can relate his change request to an item in the first project and the relationship is created in both projects - this is good.  Unfortunately, the More Actions drop down on the "Relate It To" panel includes "Add Item" which permits that same user to add items of any type to the first project despite not having write permissions for that project -  this is not good.  Can the Add Items option be removed from this menu or disabled based on user role in the target project?

 

 

Support  
Support
59 posts since
Aug 4, 2007
Currently Being Moderated
1. Dec 15, 2007 2:13 PM in response to: Eric Ford
Re: Cross project links open potential security hole

Yes that action was intended to be disabled or invisible to read only users.  We're currnetly working on a minor release which we'll try to include this in.

Derwyn Harris  
Derwyn Harris
106 posts since
Jun 11, 2007
Currently Being Moderated
2. Dec 17, 2007 11:10 PM in response to: Eric Ford
Re: Cross project links open potential security hole

This has been fixed in the 2.0.3 release which will be available this week.

More Like This

  • Retrieving data ...