Defect #25258

Field permissions ignored if the user and the group one belongs to share the same role

Added by Marcin Szewczyk 8 months ago. Updated 8 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues workflow
Target version:-
Resolution:Duplicate Affected version:3.0.0

Description

I've marked version 3.0.0 as the affected one because in Debian the package is versioned as 3.0~20140825, but the code suggests that the current Redmine might still be affected.

As stated in the subject, when there is a following situation:
User 9 gets its role (6) directly and from the group's (12) role. For role 6 there is a "required" flag for some field.

# select member_roles.id, role_id, member_id,
  user_id, inherited_from, type
  from member_roles
  join members on member_roles.member_id = members.id
  join users on user_id = users.id
  where user_id in (9, 12);
 id | role_id | member_id | user_id | inherited_from | type  
----+---------+-----------+---------+----------------+-------
 33 |       6 |        13 |      12 |                | Group
 38 |       6 |        15 |       9 |             33 | User
 29 |       6 |        15 |       9 |                | User
(3 rows)

Field permissions (like "required") are ignored which leads to a workflow violation.

The reason is that in models/issue.rb inside workflow_rule_by_attribute() there is a line next if rules.size < roles.size. When a role for the user comes from both directly the user and the group, the same role is returned twice by roles_for_project() and the condition becomes true. In consequence the returned result of workflow_rule_by_attribute() is empty.

I propose changing one line in models/user.rb in roles_for_project(), i.e. from membership.roles to membership.roles.uniq. A short patch attached.

Note to future self: next if rules.size < roles.size means "don't apply permissions if for the field for any of the roles there is none set (inherited lack of restrictions)".

user.rb.patch Magnifier - roles_for_project() returning only unique roles (391 Bytes) Marcin Szewczyk, 2017-03-03 23:56


Related issues

Duplicated by Redmine - Defect #19569: Field permissions not working properly with inherited mem... Closed

History

#2 Updated by Jean-Philippe Lang 8 months ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

3.0.0 is indeed affected by this issue. This was already reported in #19569 and fixed in 2.6.4 and 3.0.2 (r14179).

#3 Updated by Jean-Philippe Lang 8 months ago

  • Duplicated by Defect #19569: Field permissions not working properly with inherited memberships added

#4 Updated by Marcin Szewczyk 8 months ago

Jean-Philippe Lang wrote:

3.0.0 is indeed affected by this issue. This was already reported in #19569 and fixed in 2.6.4 and 3.0.2 (r14179).

Sorry, I have missed the #19569 issue. Thank you.

Also available in: Atom PDF