Missing proper permission handling for tasks plugin. Possible data leakage

[bigvictorio]

The major problem I have is with permissions for tasks URL:
I have task #cat_task_1, which is assigned to: "cat user", "cat customer" "cat project" and "cat team", and global activity "problem resolution" that has URL https://kimai.example.com/en_BZ/tasks/1/details

I have task #dog_task_1, which is assigned to: "dog user", "dog customer" "dog project" and "dog team", and global activity "problem resolution" that has URL https://kimai.example.com/en_BZ/tasks/2/details

Dog user only sees tasks for the "dog team" on the Tasks page. There is "everything working". However, if the "dog user" changes the URL in the browser, to https://kimai.example.com/en_BZ/tasks/1/details (which is a task for "cat team") he can still access it via URL, add comments, edit details, etc. Which is from my point of view horrible.

Maybe the resolution to this is to change the URL generator to some UUID generator (128bit is maybe too much) so it is hard to guess another URL? Or make proper permissions that work like in invoices.

In the invoice module: If I add permission view_invoice and generate invoices for "cat company" and "dog company", and then save the invoice, all the invoices are shown in the Invoices -> Invoice history.
On this page "cat user" can see only invoices from "cat company", and can download those invoices. For example, the invoice for "cat company" has the URL: https://kimai.example.com/en_BZ/invoice/download/7.
After pasting this URL link into the browser, the invoice will start downloading (ask for the location in Windows where to save that file)

However, if "cat user" tries to access/download an invoice for "dog company", that has the URL https://kimai.example.com/en_BZ/invoice/download/8 (which is easy to guess, just an incrementing generator) I will get HTTP 403 error, the page is restricted. Or for wrong or non-existing numbers in the generator, I get an HTTP 404 error, page not found.

(I'm trying to point here, that if a "cat user" changes the invoice link URL, that is correctly protected.
However, in the tasks plugin, there is nothing like this and if your company has important data in the task description, comments, or just for the price of processing tasks, this can be very unhealthy)

---

To understand my current configuration:
I have two teams: (cat team, dog team), two customers: (cat customer, dog customer), two projects: (cat project, dog project), and two users: (cat, dog). Each of these is linked together:
("cat user" is a member of the "cat team". Project "cat project" is linked to "cat team". "Cat team" has granted access to "cat customer" and to project "cat project". ) (Similar configuration is used for "dog team", "dog user", "dog project", and "dog customer".) To be noted, I have a global activity called "problem resolution"
"cat user" and "dog user" are in the group "users" (default user group in Kimai) that have permissions: time_team_customer, task_assign, task_details, task_edit_other, task_edit_own, task_team_view, task_view, view_team_member, view_own_profile.

Kimai version: 2.0.3.1 (prod)
PHP version: 8.1.2-1ubuntu2.9
Task Management plugin version: 2.1.7

[kevinpapst]

Hey, I need to test that.
The solution is obviously to fix the permission for the detail access if it is currently to wide.
Security by obscurity through UUID would be a weak workaround.

Long text is great, even better are some screenshot which are way easier to understand.
Especially for the setup, which I need to duplicate.

[bigvictorio]

Currently replicated it in the empty kimai demo,
Logins: cat/dog
password: password

Attaching screenshots below:
On the left side, I'm logged in as a Dog User, and on the right side as a Cat user

Preview of own task, that they have should see:

After copying the URL, of the Dog task (on the left side of my monitor, chrome purple color scheme, that has the link: https://demo-empty.kimai.org/en/tasks/2/details) and opening this on the right side of the monitor, in the incognito, the second tab from the left (with blue frame) I can open it. (On this image, on the right side of the screen, I have opened my second tab which is highlighted in blue)

This goes both ways. And here you can see, I can see Customer here, project, user, team that I should not be able to. And in the screen below, it goes blank.

Interesting thing here: After I open tasks that I should not be able to (Logged in as Dog User, opened Cat_task_1) click edit,
The customer box is blank, I can only select customers that I have access to (dog customers). The user is blank, the team is blank.

However, I can see the other team that I should not even see. In the Project column

After this, when navigating through the menu, to the Tasks section, I can't see the other projects/teams tasks. (In this picture I just added a filter to also see Completed tasks just to be sure.)

I have a suspicion that the Tasks plugin is built something different other than the main kimai core or the Expenses plugin. I think, there is something wrong with Projects maybe, how it is handled.
Because even related to this issue Limit Tasks view by Teams/Projects to prevent Data Leakage I think there is a lot of leakage from the tasks plugin and this plugin needs some more love.