Defect #15834

Creating subtask without having permission on parent issue tracker

Added by Daniele Pedroni almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Permissions and roles
Target version:-
Resolution:Invalid Affected version:2.4.2

Description

In my Redmine I have multiple trackers, multiple roles and crossed permissions: let's say "developer" user can create issues with "bugfix" tracker and "salesman" user can create issues with "request" tracker but not viceversa.

Then, if "developer" user tries to create a subtask on a "request" issue, the following view is kind of broken, not displaying tracker selection at all and reporting some "random" fields. By clicking on Create at the bottom, the page returns an error but magically heals itself, showing the correct expected view expected! Obviously, the same error is achievable also if "salesman" user tries to create a subtask under "bugfix" issue...

I think users should not be forced to have "create issue" permissions on a specific issue tracker if they only have to create subtask (with different trackers, naturally: the ones they're in charge of) on it. And it looks like it's not only my thought, since forcing the subtask creation when the view is broken leads to the expected page!

Anyone experienced this? I looked for some information on it but I didn't find anything...

My Redmine installation comes from Bitnami stack 2.4.2-0, containing:
- Redmine 2.4.2
- Apache 2.4.7
- ImageMagick 6.7.5
- MySQL 5.5.34
- Subversion 1.8.4
- Git 1.8.3
- Ruby 1.9.3-p484
- Rails 3.2.16
- RubyGems 1.8.12

and plugins:
- extended fields 0.2.2
- projects table plugin 0.0.4
- DMSF 1.4.7 devel
- Redmine Multi Column Custom Fields plugin 0.0.1
- Redmine Tracker Control plugin 1.0.8

History

#1 Updated by Jean-Philippe Lang almost 4 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

let's say "developer" user can create issues with "bugfix" tracker and "salesman" user can create issues with "request" tracker but not viceversa

There's no such option in Redmine core. This is a plugin issue (Redmine Tracker Control plugin I guess).

#2 Updated by Daniele Pedroni almost 4 years ago

Sorry JPL, you're right.

Maybe I'll open a new issue to suggest to add this feature in Redmine core, it is very useful as well as simple to implement...

thank you.

#3 Updated by Daniele Pedroni almost 4 years ago

Finally I found the problem: I set "Tracker" (as well as many other fields) as read only in the default tracker. As per my previous example: if Salesman tried to create a Request subtask under an existing Request issue, everything went fine. But if Developer tried, since it didn't have rights on Request tracker, it fell in the default tracker, so there was no way to change it!

Then I took "Read Only" attribute for all roles in default tracker (and any other tracker, to be safe on that), and now it works as expected. Note that also Parent Task was read only, so also that information got lost in the subtask creation.

This is only the confirmation of what JPL explained, anyway I wrote it down here to help other people who may fall in the same fault in the future.

Also available in: Atom PDF