Unexpected behaviour on issue fields for users that have multiple roles
|Assignee:||Jean-Philippe Lang||% Done:|
To explain this possible defect let me explain this situation.
We have dozens of projects on which are defined mixed teams of users. We have defined roles for those projects&users.
I will focus on just those facts that matters this issue:
- We have one role that enables users to view just documents and nothing else (lets name it DocViewer).
- We have another role that enables user to report an issue and nothing else (lets name it IssueReporter).
- We have user (User1) that have both roles on some project
- We have defined field restrictions on workflow for IssueReporter on some field. For example we want to force users that owns role IssueReporter to fill some data at custom field (lets name it SomeRequiredField). That was done through workflow for role IssueReporter (on all trackers) by setting Requred attribute on SomeRequredField.
So we expected that User1 will be forced to fill up SomeRequiredField, but it is not happening. User1 still can skip that required field. Reason for this is that the User1 has also role DocViewer. Please note that this role have not any specific workflow nor field restrictions defined.
It would be expected that roles that have not assigned permissions for adding or updating issues should not make any influence on field restrictions (and worflows also) in situations when user owns multiple roles.
Droped legacy behaviour that allows a user to edit a few attributes of an issue without the edit_issues permission if a status transition is allowed (#15988).
Now that we can control permission on each field, this behaviour is no longer needed. The edit_issues permission is now required, which is consistent with the current requirements for bulk edition.
Don't consider roles without issue add/edit permissions for determining fields permissions (#15988).