<< Back to previous view |
[QB-1337] It is a security risk that every user can execute arbitrary script by scripting the gadget title and the email field
|
|
Status: | Resolved |
Project: | QuickBuild |
Component/s: | None |
Affects Version/s: | 4.0.50 |
Fix Version/s: | 4.0.51 |
Type: | Improvement | Priority: | Critical |
Reporter: | Robin Shen | Assigned To: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Remaining Estimate: | Unknown | Time Spent: | Unknown |
Original Estimate: | Unknown |
Description |
Now a separate permission "Allow script" is added to group. For gadget title and message gadget, the script will only be evaluated if the containing dashboard is created by an user belong to group with such permission. This also holds true for user's email field.
|