the board I left before still exist in database about wekan HOT 15 OPEN

@mohammadZahedian

If you have Admin Panel access, then you Admin, and you also have access with API to all boards.

With API, or Admin Panel / People / People / Edit / Impresonate User, of some user that has BoardAdmin access to board, you can add yourself back to the board you are currently not member of. Or alternatively, by editing databas, adding your user ID from Users table/collection to board members IDs.

It is not a security issue, that Admin has access to everything.

So the question is, can some normal user, that is not Admin, see some data at webbrowser or API, that normal user should not see?

from wekan.

@xet7
no the user i was working with was not admin... but i could see the boards i was member of it some day...
it ( the board ) is not in my panel in site, but i can see it in API

from wekan.

@mohammadZahedian

Does your WeKan user see Admin Panel?

Sure, if you think that Admin should not have any access to any other users, I could remove Admin Panel, encrypt all users data, and disable API.

from wekan.

@mohammadZahedian

WeKan has User API, and Admin API.

Admin, that can see Admin Panel, can see all boards with Admin API. At All Boards page, Admin sees those boards Admin is member of. With API, Admin can list all boards, also those,that Admin is not member of. This is because Admin than change membership of boards, and create new users, with Admin API.

User, with User API, can only see those boards User is member of.

from wekan.

@mohammadZahedian

Being member of board, and leaving board, still keeps the board at database.

If board is Archived, and deleted from Archive, then board does not exist anymore at database.

from wekan.

@mohammadZahedian

the user is not a member of board but access boars some information

What information that user can access?

from wekan.

@mohammadZahedian

Please email me at [email protected]

Any security issues should be reported by email.

https://github.com/wekan/wekan/blob/main/SECURITY.md

from wekan.

Does your WeKan user see Admin Panel?

no he doesn't

Sure, if you think that Admin should not have any access to any other users, I could remove Admin Panel, encrypt all users data, and disable API.

no it is oK

User, with User API, can only see those boards User is member of.

it is what exactly i am saying, User can see the board that is not member of, have left before

the user is not a member of board but access boars some information

What information that user can access?

now as i found it can see the board name and id, other request respond FORBIDDEN , but seeing the board name and id doesn't make sense when user is not member of that board

from wekan.

i am trying to make an simple android app for wekan, and this is the problem that it shows the board that user have left before

from wekan.

@mohammadZahedian

What version of WeKan are you running?

What API did you use?

With newest WeKan, I created new normal user. It does not show list of non-member boards. There is other API for showing list for Public Boards.

from wekan.

@mohammadZahedian

At Admin Panel you can disable all Public Boards, if you do not want any board to be public.

from wekan.

@mohammadZahedian

Did you try api.py at https://github.com/wekan/wekan ?

from wekan.

@mohammadZahedian

It looks like listing public boards if forbidden for normal users API.

I presume you have old WeKan.

from wekan.

@xet7

It looks like listing public boards if forbidden for normal users API.

no it is private

I presume you have old WeKan.

from wekan.

look

this user have left from this board

but with his user pass it can see the "test" board in API:

from wekan.