-
Problem report
-
Resolution: Fixed
-
Major
-
3.0.10, 3.2.7, 3.4.1
-
Sprint 16, Sprint 17, Sprint 18, Sprint 19, Sprint 20, Sprint 21
-
0.5
Personal information inside alert messages can be viewed by all users who has rights to the host even if these users are not from the same user group. In event details of a recovery event message content should not be displayed where recipients are "Inaccessible user".
Macros {ESC.HISTORY}, {EVENT.ACK.HISTORY} and from 3.4 macro {USER.FULLNAME} may contain personal information.
How to reproduce:
- enable action to send emails to notifications about problem events and their recoveries to Superadmin and guest user (both have permission of the host and both are in different user groups), also add macro {ESC.HISTORY} to recovery message;
- trigger a problem event;
- resolve the problem;
- log in as guest user;
- open event details of the event that was resolved;
- observe that both e-mails and all their content is visible to the guest user including admins full name and e-mail address.
Expected: Information about message actions is not visible to users from different user groups except to Superadmins.