Defect #23175: Ticket overview table on project page (from 3.2) exposes trackers to user roles with insufficient permissions - Redmine

Actions

Copy link

Defect #23175

closed

Ticket overview table on project page (from 3.2) exposes trackers to user roles with insufficient permissions

Added by Tobias Fischer almost 8 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

High

Assignee:

Category:

Projects

Target version:

Start date:

Due date:

% Done:

Estimated time:

Resolution:

Fixed

Affected version:

3.2.0

Description

Let's say you have a project "A" with internal and external users.
And then there's project "B" which is a subproject of "A" and only internal users are allowed.
The internal project "B" uses the same trackers like project "A" plus some additional ones.

When an external user accesses the project "A" project page (overview) it can see the project-"B"-only trackers in the ticket overview table.
At least, the ticket counter is set to "0" in all columns, but still I would expect the tracker beeing hidden when the user role cannot access it!

This problem exists since Redmine 3.2

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Redmine

Custom queries

Defect #23175

Ticket overview table on project page (from 3.2) exposes trackers to user roles with insufficient permissions

Updated by Jean-Philippe Lang almost 8 years ago

Updated by Tobias Fischer almost 8 years ago

Updated by Jean-Philippe Lang almost 8 years ago

Updated by Toshi MARUYAMA almost 8 years ago