KOrganizer display reminders on the screen despite active screen lock #60
Κλειστό
ανοίχτηκε 3 έτη πριν από jstolarek
·
15 σχόλια
Χωρίς Σήμα
Χωρίς Αποδέκτη
4 Συμμετέχοντες
Ειδοποιήσεις
Ημερομηνία Παράδοσης
Δεν ορίστηκε ημερομηνία παράδοσης.
Εξαρτάται από
Αναφορά: TDE/tdepim#60
Φόρτωση…
Αναφορά σε νέο ζήτημα
Δεν υπάρχει ακόμα περιεχόμενο.
Διαγραφή του Κλάδου '%!s(<nil>)'
Η διαγραφή του κλάδου είναι μόνιμη. ΔΕΝ ΜΠΟΡΕΙ να αναιρεθεί. Συνέχεια;
Basic information
Description
After locking the screen (e.g. with
dcop kdesktop KScreensaverIface lockor by selecting "Lock screen" from TDE menu) KOrganizer displays reminders of upcoming tasks on the screen despite screen lock being active - see attached photo. This is a serious security issue since it can reveal private information by completely bypassing a screen lock. Reminder notification window disappears immediately after moving the mouse or pressing a key so I actually had to make a photo of it. It's not possible to capture this with a a screenshot.Hi Janek,
I can confirm this behaviour and I could not find any option to enable/disabled it.
Not sure if this should be called a major bug or not, it probably depends on people needs: some users may like to be reminded of their tasks if their screen is locked.
I think the right solution would be to have a checkbox that let the user choose the prefer behavior.
definitely
I understand someone might want to have such functionality and having a switch sounds like a good idea. But in its current state I believe this is a bug because:
Notification window disappears immediately after moving a mouse or pressing a key. If the goal is to display the reminders despite screen lock then I would argue this is not well executed because it's very easy to have a notification accidentally hidden under a screen lock.
Expanding on what I said in the original report, the primary purpose of a screen lock is to ensure privacy of one's workstation from passer-byes. A notification window can reveal an awful lot of private information: from phone numbers, names, and confidential meeting links and passwords*, to one's health problems. Imagine a reminder about calling a doctor about your health condition that you don't want to tell anyone about and then your colleagues at work see that information displayed on your screen despite screen lock. The *) bit about links and passwords is not made up. I use KOrganizer to save online meeting links on Zoom or Jitsi together with passwords needed to join the rooms. Would absolutely not want to have this disclosed. That's why I marked this bug as major. It's a security bug that can lead to leaking of user's private data and should be taken seriously. There should really be a label for security bugs but as long as there isn't one I would insist on treating this as a major bug.
Note also similar concerns raised for Firefox Megabar feature.
Yes, it is true that standard behavior should be so that all windows should be hidden under the screen lock. Indeed, that is why it was solved the way of hiding popup notifications that are not like ordinary windows. Therefore, the notification from the KOrganizer should be hidden under the screen lock if there is no special checkbox to request display over the locked screen.
We can discuss whether it makes sense to do such a checkbox, but nothing will change to the fact that existing behavior is wrong and need to be fixed.
IMO, we can hide the notification by default and add a checkbox to allow them to be displayed if the user choose to do so. This way the user is responsible for his own action :-)
One more thing I just noticed is that if you disable the screen saver and lock the screen then notification windows will still display on the screen - as previously - but this time they don't disappear when moving a mouse. More interestingly, they are completely unresponsive to mouse, i.e. there's no way to click any of the buttons to dismiss or suspend a task. At this point one's best bet is to press Esc on the keyboard. That refreshes the screen lock screen and hides the notification window.
I can confirm this behavior as well.
The problem in this PR comes from the fact that the alarm dialog has the Stay on Top flag active. Currently looking into what is the best way to fix this.
I have been looking into this and done quite a bit of testing. I have come to the conclusion that it would be better to simply not show the reminders if the screen is locked and avoid a config option for it. The reasons for this are:
An option to show reminders on the locked screen would not behave consistenly and therefore I think it is better to not have it at all.
And as Janek mentioned, a locked screen is supposed to hide the user activity and potentially sensitive information.
What do you think?
I fully agree with your analysis.
@jstolarek
I don't know if you build TDE on your own or just use the prebuilt packages. If you are able to build, PR #63 is a proposed fix for this.
@SlavekB
in case Janek can't test it, could you give it a go before we merge?
@MicheleC I'm using pre-buils packages (PSB) and can't test on my own. Sorry.
No worries, I suspected that. Once Slavek can test on his own machine, we can merge this.
Hi Janek,
Slavek did a test on his system and we just merged the fix. PSB packages should be available soon. When you get the new packages, please test and let us know if you see any issue. If not, we can then close this issue.
Works perfectly, thanks! Closing.
Great, thanks for confirming and closing.