Patch #23997

Per role visibility settings for version custom fields

Added by Jens Krämer about 3 years ago. Updated 4 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Custom fields
Target version:4.1.0

Description

For issue custom fields, one can already select which roles should be allowed to view this field.

This patch, developed at Planio and sponsored by SDZeCOM GmbH, introduces the same setting for project and version custom fields.

0001-per-role-visibility-settings-for-project-and-version.patch Magnifier (9.7 KB) Jens Krämer, 2016-10-05 04:38

0001-per-role-visibility-settings-for-project-and-version.patch Magnifier - updated patch (9.9 KB) Jens Krämer, 2016-10-05 11:06

0001-Per-role-visibility-settings-for-project-custom-fiel.patch Magnifier (4.95 KB) Marius BALTEANU, 2019-08-12 23:48

0001-Per-role-visibility-for-version-custom-fields.patch Magnifier (8.63 KB) Marius BALTEANU, 2019-08-20 22:30


Related issues

Related to Redmine - Feature #5037: Role-based issue custom field visibility Closed 2010-03-10
Related to Redmine - Patch #31859: Per role visibility settings for spent time custom fields Closed
Related to Redmine - Feature #31925: Per role visibility settings for project custom fields Closed
Related to Redmine - Patch #31954: Reject project/version custom field values not visible to... Closed
Duplicated by Redmine - Feature #15416: Role-based issue custom field visibility for projects Closed

Associated revisions

Revision 18386
Added by Go MAEDA 4 months ago

Per role visibility settings for version custom fields (#23997).

Patch by Jens Krämer and Marius BALTEANU.

Revision 18387
Added by Go MAEDA 4 months ago

Add VersionsCustomFieldsVisibilityTest (#23997).

Patch by Marius BALTEANU.

Revision 18402
Added by Go MAEDA 4 months ago

Reject version custom field values not visible for the user (#31954, #23997).

Patch by Marius BALTEANU.

Revision 19328
Added by Go MAEDA 8 days ago

Merged r19327 from trunk to 4.1-stable ( #32540, #31954, #23997).

History

#1 Updated by Jan from Planio www.plan.io about 3 years ago

  • Target version set to Candidate for next minor release

#2 Updated by Jens Krämer about 3 years ago

turns out the patch led to invalid SQL for project custom fields, here is an updated version which overrides CustomField#visibility_by_project_condition in ProjectCustomField to work with the correct project_key (that is, projects.id instead of projects.project_id).

#3 Updated by Toshi MARUYAMA about 3 years ago

  • Related to Feature #5037: Role-based issue custom field visibility added

#4 Updated by Toshi MARUYAMA about 3 years ago

Could you add tests like r12012?

#5 Updated by Mariusz Zielinski over 2 years ago

Hello,
When we may expect custome fields per role visibility available? (this could be really powerfull feature)

#6 Updated by Go MAEDA 7 months ago

  • Category set to Custom fields

#7 Updated by Go MAEDA 4 months ago

  • Duplicated by Feature #15416: Role-based issue custom field visibility for projects added

#8 Updated by Marius BALTEANU 4 months ago

  • Related to Patch #31859: Per role visibility settings for spent time custom fields added

#9 Updated by Marius BALTEANU 4 months ago

  • Assignee set to Marius BALTEANU

I'll update these patches in order to be applied on top of #31859. Jens Krämer, maybe you'll have time to review my work.

#10 Updated by Jens Krämer 4 months ago

Sure!

#11 Updated by Marius BALTEANU 4 months ago

I've attached the patch that adds per role visibility settings for project.

Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings. This issue can be easily reproduced using the test test_settings_should_not_display_custom_fields_not_visible_for_user added by me in test/functional/projects_controller_test.

Also, in order to keep the current behaviour where a custom field can be displayed in project#show only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of visible: false). Otherwise, we need to add a new option to visibility in order to allow "admin only".

Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/76036437

Jens Krämer, Go Maeda, what do you think about these changes?

#12 Updated by Go MAEDA 4 months ago

Marius BALTEANU wrote:

Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings.

The behavior will be fixed by your patch and the new behavior is straightforward.

Also, in order to keep the current behaviour where a custom field can be displayed in project#show only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of visible: false).

I think it is OK.

#13 Updated by Jens Krämer 4 months ago

Looks good to me!

#14 Updated by Marius BALTEANU 4 months ago

  • Related to Feature #31925: Per role visibility settings for project custom fields added

#15 Updated by Marius BALTEANU 4 months ago

Attached the patch for version custom fields.
Jens, do you remember why did you override the @safe_attributes= method in your proposed patch for Version?

Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/77404580

#16 Updated by Jens Krämer 4 months ago

@Marius - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.

#17 Updated by Marius BALTEANU 4 months ago

  • Assignee deleted (Marius BALTEANU)
  • Target version changed from Candidate for next minor release to 4.1.0

Jens Krämer wrote:

@Marius - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.

Got it, thanks. Next week I’ll add new patches to implement this logic to Spent time, Project and Version.

Until then, we can deliver this one.

#18 Updated by Go MAEDA 4 months ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA

Committed the patch. Thank you for your contribution.

#19 Updated by Marius BALTEANU 4 months ago

  • Related to Patch #31954: Reject project/version custom field values not visible to user added

Also available in: Atom PDF