437b141fa2
Fix Parameter based Indirect Object Referencing leading to private file exposure
2023-06-02 20:29:24 -07:00
a40da29a0e
don't look for project_id for files
...
it is only used for late accessibility checking (it was already checked in middleware).
With this, you can create stable file links (as long as the file exists)
I need this change for my [inline image plugin](https://github.com/Chaosmeister/PITM )
2021-12-03 17:28:48 -08:00
71123b0f37
Add missing CSRF checks
2021-06-05 14:59:12 -07:00
c8a617cfcb
Add per-project and per-swimlane task limits
...
This change allows projects and swimlanes to be configured with task limits that apply to their whole scope (i.e. all active tasks in a project or swimlane, respectively), as opposed to the usual per-column task limits.
2020-02-25 20:26:31 -08:00
322383b084
Always returns a 404 otherwise people might guess which user exist
2019-01-30 21:07:56 -08:00
19ea9ed620
Add missing CSRF check in TwoFactorController::deactivate()
2019-01-30 20:21:12 -08:00
a991758e98
Redirect to original URL after oauth login
2018-03-05 10:43:15 -08:00
9ddefa979a
Add CSRF check for task and project files upload
2018-01-29 15:56:30 -08:00
7100f6de8a
Make sure people do not access to files of other projects
2017-09-27 21:58:16 -07:00
3e0f14ae2b
Do not expose IDs in forms
2017-09-23 20:56:54 -07:00
074f6c104f
Avoid people to alter other projects by changing form data
2017-09-23 18:48:45 -07:00
5ffdf286e7
Minor fixes
2016-06-05 18:22:19 -04:00
523e0aad7e
Raise exception for webhook token verification
2016-06-01 21:35:22 -04:00
92aba95959
Fix typo after refactoring
2016-05-31 22:42:50 -04:00
14713b0ec7
Rename all models
2016-05-28 19:48:22 -04:00
67b8361649
Refactoring: added controlled middleware and changed response class
2016-05-15 18:31:47 -04:00
Frédéric Guillot
Tomas Dittmann
Andre Nathan
kent1