Defect #12287
open
Time entries of private issues are visible by users without permission to see them
Added by Ricardo S almost 12 years ago.
Updated about 2 years ago.
Description
By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.
Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)
- Status changed from New to Confirmed
- Priority changed from Normal to High
Hi,
i can confirm this with current trunk (10781)!
This can be fixed with the following modifications on the TimeEntry model:
# Create this method
def self.visible_condition(user, options={})
"(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})"
end
# Update the :visible scope
scope :visible, lambda {|*args| {
:include => [:project, :issue],
:conditions => TimeEntry.visible_condition(args.shift || User.current, *args)
}}
With these changes, time entries on private issues will no longer be visible neither on search results page nor on the /projects/:id/time_entries page.
- Target version set to Candidate for next minor release
What status is this issue?
Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.
Is this a defect or it's the expected behaviour?
- Has duplicate Defect #37729: Time entries listed/visible even for issues not accessible by user added
- Status changed from Confirmed to Needs feedback
Marius BALTEANU wrote:
[...]
Is this a defect or it's the expected behaviour?
I don't think it is a defect. Time entry visibility is (and has always been) independent of issue visibility. Time entries and issues aren't coupled in any way regarding object visibility. AFAIK was such coupling never intended to be part of the scope of issue #7412, #7414 nor #8929.
Instead, time entry visibility depends entirely on the :view_time_entries
permission together with the "time logs visibility
" role setting that determines if the role can view all or own time entries only.
Given the above I'd say we can close this issue as 'wont fix'. However, given the observed expectations and the potential implications, it might be a good idea to open a new feature request for an option to also take issue visibility and/or even issue permissions into account when considering time entry visibility.
What do you think?
Also available in: Atom
PDF