tracks icon indicating copy to clipboard operation
tracks copied to clipboard

Published 20 hours ago verified publisher icon TracksApp

Allow project tokens that allow access only to one project's data

Open dnrce opened this issue 10 years ago • 4 comments

Migrated from the original issue at https://www.assembla.com/spaces/tracks-tickets/tickets/1456

The tokens included in RSS and iCal links are sensitive, preventing those links from being shared.

Originally reported by tedks on April 4, 2014 at 19:51:10 (+0400) against version git-master

dnrce avatar Jun 25 '14 16:06 dnrce

I'm not sure what this issue means. The tokens are sensitive in the sense that they allow access to Tracks data, but is there something to be improved here?

ZeiP avatar May 11 '19 21:05 ZeiP

IIRC (it's been a while), the iCal URL included an authentication token and a path/descriptor for the project it was generated for, in editable form, separately. This allowed someone with an iCal link to see all of your tasks rather than just that project (or something similar) if you shared a link generated for that project.

tedks avatar May 12 '19 03:05 tedks

Ah, yes. There's only one token per user, and that indeed allows access for all tasks instead of just one project/context/other criteria. So if I understand correctly, this issue is about adding a separate project-specific key which can be used to share one project's actions as calendar or RSS feed. I'd consider this a feature request rather than a bug.

ZeiP avatar May 12 '19 12:05 ZeiP

I would also say there is a UX bug in that I, as a user, did not understand the semantics of the feature and unintentionally shared much more than I thought I was sharing. This happened because I sent the link in an email that mangled the link to drop the project URL parameter, and the person I sent the link to just saw all my tasks.

It's also worth pointing out that while you could fix this in a very complex way, it could also be fixed in a simple way, without as many security guarantees, so that the UX bug here was fixed. For example, rather than having the token and project identifier in separate URL parameters, you could just hash them together, so that if the URL is accidentally modified, the entire task list isn't shown. This could be made almost as secure as the separate-token-per-project by using a salt, so the endpoint for a project's iCal feed is hash(token+project+salt).

tedks avatar Jun 14 '19 16:06 tedks