Defect #1613
closed
Search results shown for commits in projects that a user doesn't have access to
0%
Description
I have several users set up to only be able to access ONE project's Issues, News, and Messages.
Logged in as one of those users, I do an arbitrary search.
From that SEARCH RESULTS page, if you change the pop up to ALL PROJECTS, and immediately re-submit the same search, the checkboxes for other types of searches suddenly appear (documents, changesets, wiki pages, projects).
If you then checkmark all of those boxes, you can do a search that will match commit messages in projects the user shouldn't have access to. You get a permission denied error if you actually try to click through to one, but the full commit message is shown in the search results anyway.
I'm not sure which version of Redmine I have, but I just updated it from Subversion (r1648)
Updated by Jean-Philippe Lang almost 16 years ago
- Status changed from New to Resolved
- Affected version (unused) set to devel
- Resolution set to Fixed
This should be fixed in r1649.
Can you confirm ? Thanks.
Updated by Steven Frank almost 16 years ago
Updated to r1651. Commits for inaccessible projects are no longer matched by the search. Thanks!
The extra checkboxes for search scope still appear when the search is submitted a second time. At this point it's basically just a cosmetic issue, so I leave it to you to decide if it warrants fixing.
Updated by Mischa The Evil over 14 years ago
- Status changed from Resolved to Closed
Steven Frank wrote:
Updated to r1651. Commits for inaccessible projects are no longer matched by the search. Thanks!
This confirms that the initial issue's subject has been solved [sic] I'll close this issue with resolution fixed.
Steven Frank wrote:
The extra checkboxes for search scope still appear when the search is submitted a second time. At this point it's basically just a cosmetic issue, so I leave it to you to decide if it warrants fixing.
This is indeed another thing. It should be filed as a dedicated issue of the tracker-type feature of the category "UI" if there's still a need for such a feature. I'll leave it to the inital author of the issue to take appropriate actions ;)