Defect #12287

Time entries of private issues are visible by users without permission to see them

Added by Ricardo S over 4 years ago. Updated about 1 month ago.

Status:ConfirmedStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Time tracking
Target version:Candidate for next minor release
Resolution: Affected version:

Description

By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.

Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)

History

#1 Updated by Daniel Felix over 4 years ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to High

Hi,

i can confirm this with current trunk (10781)!

#2 Updated by Ricardo S over 4 years ago

This can be fixed with the following modifications on the TimeEntry model:

  # Create this method
  def self.visible_condition(user, options={})
     "(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})" 
  end

  # Update the :visible scope
  scope :visible, lambda {|*args| {
    :include => [:project, :issue],
    :conditions => TimeEntry.visible_condition(args.shift || User.current, *args)
  }}

With these changes, time entries on private issues will no longer be visible neither on search results page nor on the /projects/:id/time_entries page.

#3 Updated by Etienne Massip over 4 years ago

  • Target version set to Candidate for next minor release

#4 Updated by Toshi MARUYAMA about 4 years ago

What status is this issue?

#5 Updated by Marius BALTEANU about 1 month ago

Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.

Is this a defect or it's the expected behaviour?

Also available in: Atom PDF