Project

General

Profile

Actions

Feature #23997

closed

Per role visibility settings for version custom fields

Added by Jens Krämer over 7 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Custom fields
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

For issue custom fields, one can already select which roles should be allowed to view this field.

This patch, developed at Planio and sponsored by SDZeCOM GmbH, introduces the same setting for project and version custom fields.


Files


Related issues

Related to Redmine - Feature #5037: Role-based issue custom field visibilityClosedJean-Philippe Lang2010-03-10

Actions
Related to Redmine - Feature #31859: Per role visibility settings for spent time custom fieldsClosedGo MAEDA

Actions
Related to Redmine - Feature #31925: Per role visibility settings for project custom fieldsClosedGo MAEDA

Actions
Related to Redmine - Patch #31954: Reject project/version custom field values not visible to userClosedGo MAEDA

Actions
Has duplicate Redmine - Feature #15416: Role-based issue custom field visibility for projectsClosed

Actions
Actions #1

Updated by Jan from Planio www.plan.io over 7 years ago

  • Target version set to Candidate for next minor release
Actions #2

Updated by Jens Krämer over 7 years ago

turns out the patch led to invalid SQL for project custom fields, here is an updated version which overrides CustomField#visibility_by_project_condition in ProjectCustomField to work with the correct project_key (that is, projects.id instead of projects.project_id).

Actions #3

Updated by Toshi MARUYAMA over 7 years ago

  • Related to Feature #5037: Role-based issue custom field visibility added
Actions #4

Updated by Toshi MARUYAMA over 7 years ago

Could you add tests like r12012?

Actions #5

Updated by Mariusz Zielinski almost 7 years ago

Hello,
When we may expect custome fields per role visibility available? (this could be really powerfull feature)

Actions #6

Updated by Go MAEDA almost 5 years ago

  • Category set to Custom fields
Actions #7

Updated by Go MAEDA over 4 years ago

  • Has duplicate Feature #15416: Role-based issue custom field visibility for projects added
Actions #8

Updated by Marius BĂLTEANU over 4 years ago

  • Related to Feature #31859: Per role visibility settings for spent time custom fields added
Actions #9

Updated by Marius BĂLTEANU over 4 years ago

  • Assignee set to Marius BĂLTEANU

I'll update these patches in order to be applied on top of #31859. Jens Krämer, maybe you'll have time to review my work.

Actions #10

Updated by Jens Krämer over 4 years ago

Sure!

Actions #11

Updated by Marius BĂLTEANU over 4 years ago

I've attached the patch that adds per role visibility settings for project.

Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings. This issue can be easily reproduced using the test test_settings_should_not_display_custom_fields_not_visible_for_user added by me in test/functional/projects_controller_test.

Also, in order to keep the current behaviour where a custom field can be displayed in project#show only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of visible: false). Otherwise, we need to add a new option to visibility in order to allow "admin only".

Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/76036437

Jens Krämer, Go Maeda, what do you think about these changes?

Actions #12

Updated by Go MAEDA over 4 years ago

Marius BALTEANU wrote:

Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings.

The behavior will be fixed by your patch and the new behavior is straightforward.

Also, in order to keep the current behaviour where a custom field can be displayed in project#show only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of visible: false).

I think it is OK.

Actions #13

Updated by Jens Krämer over 4 years ago

Looks good to me!

Actions #14

Updated by Marius BĂLTEANU over 4 years ago

  • Related to Feature #31925: Per role visibility settings for project custom fields added
Actions #15

Updated by Marius BĂLTEANU over 4 years ago

Attached the patch for version custom fields.
Jens, do you remember why did you override the @safe_attributes= method in your proposed patch for Version?

Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/77404580

Actions #16

Updated by Jens Krämer over 4 years ago

Marius Ionescu - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.

Actions #17

Updated by Marius BĂLTEANU over 4 years ago

  • Assignee deleted (Marius BĂLTEANU)
  • Target version changed from Candidate for next minor release to 4.1.0

Jens Krämer wrote:

Marius Ionescu - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.

Got it, thanks. Next week I’ll add new patches to implement this logic to Spent time, Project and Version.

Until then, we can deliver this one.

Actions #18

Updated by Go MAEDA over 4 years ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA

Committed the patch. Thank you for your contribution.

Actions #19

Updated by Marius BĂLTEANU over 4 years ago

  • Related to Patch #31954: Reject project/version custom field values not visible to user added
Actions #20

Updated by Jean-Philippe Lang about 4 years ago

  • Tracker changed from Patch to Feature
Actions

Also available in: Atom PDF