Added by Marco Borm over 10 years ago
I recently checked the openproject release timeline and found some obscure “Clare Frank” item there:
I thought it was the result of a hack. After I unfortunately added the release “xyz” myself without a “access denied”, it seams anyone can add any kind of item into this openproject installation. Big sorry for that!
The access rights setup is IMO something to rethink.
Until that, could someone please delete both items? I am not allowed to delete my own item …
Replies (1)
Hello Marco,
thanks for the hint regarding the work packages in the timeline. I deleted both work packages that you referred to.
Currently, registered users have the permission to create work packages in the public projects on (but not the permission to delete them).
This way bugs and feature requests can be submitted by the community.
However, as you already noticed this has the unfortunate side effect that also spam can be added which - depending on the type - may be displayed in the timeline.
Your suggestion is valid though. We’ll have a look into possibly limiting the permissions to reduce spam / misleading data.