Defect #20206

Members w/o view issues permission are able to list issues on public projects if the non member role has the permission

Added by Toshi MARUYAMA over 3 years ago. Updated about 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Issues
Target version:3.1.0
Resolution:Fixed Affected version:3.0.3

Description

Direct links return 403.
  • /issues/<id>
  • /projects/<id>/issues

But issues of project with no "View Issues" role are listed on "View all issues".


Related issues

Related to Redmine - Defect #19602: Non-Reporter role cannot see issue list Needs feedback

Associated revisions

Revision 14450
Added by Jean-Philippe Lang about 3 years ago

Fixed that members without view issues permission are able to list issues on public projects if the non member role has the permission (#20206).

History

#1 Updated by Jean-Philippe Lang over 3 years ago

This happens because your "Non member" role has the "View issues" permission.
Issue.visible and Issue#visible? doesn't behave the same in this particular case. Issue.visible considers the non member permissions even for members, but Issue#visible? does not. I think that members should not have less permissions than non members and behaviour should be aligned on the Issue.visible scope.

#2 Updated by Jean-Philippe Lang about 3 years ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

#3 Updated by Jean-Philippe Lang about 3 years ago

  • Subject changed from "View all issues"lists issues nevertheless role has no "View Issues" to Members w/o view issues permission are able to list issues on public projects if the non member role has the permission

#4 Updated by Toshi MARUYAMA about 3 years ago

  • Related to Defect #19602: Non-Reporter role cannot see issue list added

Also available in: Atom PDF