Patch #23997

Per role visibility settings for version custom fields

Added by Jens Krämer almost 3 years ago. Updated about 21 hours ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:Marius BALTEANU% Done:

0%

Category:Custom fields
Target version:Candidate for next minor release

Description

For issue custom fields, one can already select which roles should be allowed to view this field.

This patch, developed at Planio and sponsored by SDZeCOM GmbH, introduces the same setting for project and version custom fields.

0001-per-role-visibility-settings-for-project-and-version.patch Magnifier (9.7 KB) Jens Krämer, 2016-10-05 04:38

0001-per-role-visibility-settings-for-project-and-version.patch Magnifier - updated patch (9.9 KB) Jens Krämer, 2016-10-05 11:06

0001-Per-role-visibility-settings-for-project-custom-fiel.patch Magnifier (4.95 KB) Marius BALTEANU, 2019-08-12 23:48

0001-Per-role-visibility-for-version-custom-fields.patch Magnifier (8.63 KB) Marius BALTEANU, 2019-08-20 22:30


Related issues

Related to Redmine - Feature #5037: Role-based issue custom field visibility Closed 2010-03-10
Related to Redmine - Patch #31859: Per role visibility settings for spent time custom fields Closed
Related to Redmine - Feature #31925: Per role visibility settings for project custom fields Closed
Duplicated by Redmine - Feature #15416: Role-based issue custom field visibility for projects Closed

History

#1 Updated by Jan from Planio www.plan.io almost 3 years ago

  • Target version set to Candidate for next minor release

#2 Updated by Jens Krämer almost 3 years ago

turns out the patch led to invalid SQL for project custom fields, here is an updated version which overrides CustomField#visibility_by_project_condition in ProjectCustomField to work with the correct project_key (that is, projects.id instead of projects.project_id).

#3 Updated by Toshi MARUYAMA almost 3 years ago

  • Related to Feature #5037: Role-based issue custom field visibility added

#4 Updated by Toshi MARUYAMA almost 3 years ago

Could you add tests like r12012?

#5 Updated by Mariusz Zielinski over 2 years ago

Hello,
When we may expect custome fields per role visibility available? (this could be really powerfull feature)

#6 Updated by Go MAEDA 4 months ago

  • Category set to Custom fields

#7 Updated by Go MAEDA 17 days ago

  • Duplicated by Feature #15416: Role-based issue custom field visibility for projects added

#8 Updated by Marius BALTEANU 15 days ago

  • Related to Patch #31859: Per role visibility settings for spent time custom fields added

#9 Updated by Marius BALTEANU 15 days ago

  • Assignee set to Marius BALTEANU

I'll update these patches in order to be applied on top of #31859. Jens Krämer, maybe you'll have time to review my work.

#10 Updated by Jens Krämer 10 days ago

Sure!

#11 Updated by Marius BALTEANU 10 days ago

I've attached the patch that adds per role visibility settings for project.

Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings. This issue can be easily reproduced using the test test_settings_should_not_display_custom_fields_not_visible_for_user added by me in test/functional/projects_controller_test.

Also, in order to keep the current behaviour where a custom field can be displayed in project#show only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of visible: false). Otherwise, we need to add a new option to visibility in order to allow "admin only".

Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/76036437

Jens Krämer, Go Maeda, what do you think about these changes?

#12 Updated by Go MAEDA 3 days ago

Marius BALTEANU wrote:

Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings.

The behavior will be fixed by your patch and the new behavior is straightforward.

Also, in order to keep the current behaviour where a custom field can be displayed in project#show only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of visible: false).

I think it is OK.

#13 Updated by Jens Krämer 3 days ago

Looks good to me!

#14 Updated by Marius BALTEANU 3 days ago

  • Related to Feature #31925: Per role visibility settings for project custom fields added

#15 Updated by Marius BALTEANU 2 days ago

Attached the patch for version custom fields.
Jens, do you remember why did you override the @safe_attributes= method in your proposed patch for Version?

Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/77404580

#16 Updated by Jens Krämer about 21 hours ago

@Marius - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.

Also available in: Atom PDF