https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292016-10-05T06:45:17ZRedmineRedmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=738892016-10-05T06:45:17ZJan from Planio www.plan.io
<ul><li><strong>Target version</strong> set to <i>Candidate for next minor release</i></li></ul> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=738932016-10-05T09:08:09ZJens Krämerjk@jkraemer.net
<ul><li><strong>File</strong> <a href="/attachments/16807">0001-per-role-visibility-settings-for-project-and-version.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/16807/0001-per-role-visibility-settings-for-project-and-version.patch">0001-per-role-visibility-settings-for-project-and-version.patch</a> added</li></ul><p>turns out the patch led to invalid SQL for project custom fields, here is an updated version which overrides <code>CustomField#visibility_by_project_condition</code> in <code>ProjectCustomField</code> to work with the correct <code>project_key</code> (that is, <code>projects.id</code> instead of <code>projects.project_id</code>).</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=743302016-11-02T03:00:18ZToshi MARUYAMA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/5037">Feature #5037</a>: Role-based issue custom field visibility</i> added</li></ul> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=743322016-11-02T03:03:11ZToshi MARUYAMA
<ul></ul><p>Could you add tests like <a class="changeset" title="Role-based issue custom field visibility (#5037)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/12012">r12012</a>?</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=786722017-05-18T07:21:56ZMariusz Zielinski
<ul></ul><p>Hello,<br />When we may expect custome fields per role visibility available? (this could be really powerfull feature)</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=915672019-05-06T08:33:25ZGo MAEDA
<ul><li><strong>Category</strong> set to <i>Custom fields</i></li></ul> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=929792019-08-06T00:15:11ZGo MAEDA
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/15416">Feature #15416</a>: Role-based issue custom field visibility for projects</i> added</li></ul> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=929982019-08-07T06:03:50ZMarius BĂLTEANU
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/31859">Feature #31859</a>: Per role visibility settings for spent time custom fields</i> added</li></ul> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=930032019-08-07T06:19:11ZMarius BĂLTEANU
<ul><li><strong>Assignee</strong> set to <i>Marius BĂLTEANU</i></li></ul><p>I'll update these patches in order to be applied on top of <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Per role visibility settings for spent time custom fields (Closed)" href="https://www.redmine.org/issues/31859">#31859</a>. Jens Krämer, maybe you'll have time to review my work.</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=930652019-08-12T12:39:51ZJens Krämerjk@jkraemer.net
<ul></ul><p>Sure!</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=930702019-08-12T22:01:33ZMarius BĂLTEANU
<ul><li><strong>File</strong> <a href="/attachments/23612">0001-Per-role-visibility-settings-for-project-custom-fiel.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/23612/0001-Per-role-visibility-settings-for-project-custom-fiel.patch">0001-Per-role-visibility-settings-for-project-custom-fiel.patch</a> added</li></ul><p>I've attached the patch that adds per role visibility settings for project.</p>
<p>Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings. This issue can be easily reproduced using the test <code>test_settings_should_not_display_custom_fields_not_visible_for_user</code> added by me in <code>test/functional/projects_controller_test</code>.</p>
<p>Also, in order to keep the current behaviour where a custom field can be displayed in <code>project#show</code> only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of <code>visible: false</code>). Otherwise, we need to add a new option to visibility in order to allow "admin only".</p>
<p>Tests pass: <a class="external" href="https://gitlab.com/redmine-org/redmine/pipelines/76036437">https://gitlab.com/redmine-org/redmine/pipelines/76036437</a></p>
<p>Jens Krämer, Go Maeda, what do you think about these changes?</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=932232019-08-19T05:16:10ZGo MAEDA
<ul></ul><p>Marius BALTEANU wrote:</p>
<blockquote>
<p>Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings.</p>
</blockquote>
<p>The behavior will be fixed by your patch and the new behavior is straightforward.</p>
<blockquote>
<p>Also, in order to keep the current behaviour where a custom field can be displayed in <code>project#show</code> only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of <code>visible: false</code>).</p>
</blockquote>
<p>I think it is OK.</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=932242019-08-19T06:17:39ZJens Krämerjk@jkraemer.net
<ul></ul><p>Looks good to me!</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=932372019-08-19T20:18:53ZMarius BĂLTEANU
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/31925">Feature #31925</a>: Per role visibility settings for project custom fields</i> added</li></ul> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=932572019-08-20T20:30:58ZMarius BĂLTEANU
<ul><li><strong>File</strong> <a href="/attachments/23669">0001-Per-role-visibility-for-version-custom-fields.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/23669/0001-Per-role-visibility-for-version-custom-fields.patch">0001-Per-role-visibility-for-version-custom-fields.patch</a> added</li><li><strong>Subject</strong> changed from <i>Per role visibility settings for project and version custom fields</i> to <i>Per role visibility settings for version custom fields</i></li></ul><p>Attached the patch for version custom fields. <br /><code>Jens, do you remember why did you override the @safe_attributes=</code> method in your proposed patch for <code>Version</code>?</p>
<p>Tests pass: <a class="external" href="https://gitlab.com/redmine-org/redmine/pipelines/77404580">https://gitlab.com/redmine-org/redmine/pipelines/77404580</a></p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=932682019-08-21T19:07:08ZJens Krämerjk@jkraemer.net
<ul></ul><p><a class="user active" href="https://www.redmine.org/users/27597">Marius Ionescu</a> - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=932892019-08-23T19:42:31ZMarius BĂLTEANU
<ul><li><strong>Assignee</strong> deleted (<del><i>Marius BĂLTEANU</i></del>)</li><li><strong>Target version</strong> changed from <i>Candidate for next minor release</i> to <i>4.1.0</i></li></ul><p>Jens Krämer wrote:</p>
<blockquote>
<p><a class="user active" href="https://www.redmine.org/users/27597">Marius Ionescu</a> - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.</p>
</blockquote>
<p>Got it, thanks. Next week I’ll add new patches to implement this logic to Spent time, Project and Version.</p>
<p>Until then, we can deliver this one.</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=932942019-08-24T08:51:54ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Assignee</strong> set to <i>Go MAEDA</i></li></ul><p>Committed the patch. Thank you for your contribution.</p> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=933292019-08-27T07:20:34ZMarius BĂLTEANU
<ul><li><strong>Related to</strong> <i><a class="issue tracker-3 status-5 priority-4 priority-default closed" href="/issues/31954">Patch #31954</a>: Reject project/version custom field values not visible to user</i> added</li></ul> Redmine - Feature #23997: Per role visibility settings for version custom fieldshttps://www.redmine.org/issues/23997?journal_id=954012019-12-20T09:06:09ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Tracker</strong> changed from <i>Patch</i> to <i>Feature</i></li></ul>