Defect #23655

Restricted permissions for non member/anonymous on a given project not working

Added by Alexander Schittler 5 months ago. Updated 5 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Permissions and roles
Target version:3.1.7
Resolution:Fixed Affected version:3.1.3

Description

When assigning a custom role "Non-member user", permission inheritance is broken (or simply undefined behavior because the Yes/No/Never model does not apply) on some views, when:

  • The default "Non-member user" role has View Issue and Issue Visibility set to all.
  • The custom assigned role has View Issue, but Issue Visibility set to created and assigned.

With this setup, the user will be able to see Issues not related to them at /issues, but /issues/<id> will throw a 403.

This might affect other features that use role-based filtering too (e.g. Time Logs, Users).

project-setting.png (18.7 KB) Toshi MARUYAMA, 2016-08-25 04:12

role.png (43.2 KB) Toshi MARUYAMA, 2016-08-25 04:12

desired_member_settings.png (109 KB) Holger Just, 2016-08-25 11:25

Associated revisions

Revision 15750
Added by Jean-Philippe Lang 5 months ago

Fixed that restricted custom permissions on for non member/anonymous does not work (#23655).

History

#1 Updated by Toshi MARUYAMA 5 months ago

  • Status changed from New to Needs feedback

I cannot reproduce on vanilla Redmine 3.1.6.
I think this is fixed by #20206.

#2 Updated by Holger Just 5 months ago

I can reproduce it on 3.2-stable (the Affected version is set to 3.1.3 since this is the latest version available in the custom field). The actual issue was found on a Redmine 3.2.1.

#20206 fixes a related issue for the default non-member role. Now with a custom non-member role, the problem is back. It is however important to strictly reproduce the setup described by Alexander: you need the default non-member role to have the Issue visibility set to all. You also need a different role with restricted issue visibility assigned as non-member role for the specific project.

The result is that Project.allowed_to_condition first considers the default non-member role and adds statements since the default role has the permission to view all issues. However, the custom role has not. Now the bug is that Project.allowed_to_condition does not consider custom default-roles in this first step. They are only considered later in User#projects_by_role.

I think a quick patch could look like this (mostly untested):

diff --git a/app/models/project.rb b/app/models/project.rb
index 197f45e..9f177ee 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -197,7 +197,7 @@ class Project < ActiveRecord::Base
         if role.allowed_to?(permission)
           s = "#{Project.table_name}.is_public = #{connection.quoted_true}" 
           if user.id
-            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id = #{user.id}))" 
+            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} LEFT OUTER JOIN #{Principal.table_name} ON #{Member.table_name}.user_id = #{Principal.table_name}.id WHERE #{Member.table_name}.user_id = #{user.id} OR #{Principal.table_name}.type IN ('GroupAnonymous', 'GroupNonMember')))" 
           end
           statement_by_role[role] = s
         end

#3 Updated by Toshi MARUYAMA 5 months ago

I still cannot reproduce on 3.2-stable.
I cannot understand "You also need a different role with restricted issue visibility assigned as non-member role for the specific project."

#4 Updated by Holger Just 5 months ago

@Toshi: The role (test02 in your case) needs to be assigned to the project for Non member users, that is, you don't assign the role to an actual user but you set it a custom non-member role for the project. The user can not be an explicit member of the project. This feature to set a custom non-member role was added in #17976.

The settings screen should thus look like this:

#5 Updated by Toshi MARUYAMA 5 months ago

  • Status changed from Needs feedback to Confirmed
  • Target version set to 3.1.7

I got it.

#6 Updated by Jean-Philippe Lang 5 months ago

  • Subject changed from Permissions model applied inconsistently to Restricted permissions for non member/anonymous on a given project not working
  • Status changed from Confirmed to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Fixed in r15750, thanks for pointing this out.

#7 Updated by Jean-Philippe Lang 5 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF