Defect #25791

Bypass Tracker role-based permissions

Added by Shane Coronado 16 days ago. Updated 16 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues permissions
Target version:3.2.7
Resolution: Affected version:3.3.2

Description

Not sure if intended: We use the permission settings for our roles. However, our Developer role is able to create an issue that the role does not have permission to create. This was done by Copying said issue and not changing the Tracker field. By leaving the Tracker field blank, the user is able to create an issue that bypasses the role's permissions.

create_tickets_by_copy.jpg (29.7 KB) Shane Coronado, 2017-05-08 21:28

create_tickets_by_copy2.jpg (24.6 KB) Shane Coronado, 2017-05-08 21:28

create_tickets_by_copy3.jpg (20.2 KB) Shane Coronado, 2017-05-08 21:29

create_tickets_by_copy4.jpg (30.4 KB) Shane Coronado, 2017-05-08 21:29

History

#1 Updated by Toshi MARUYAMA 16 days ago

  • Target version set to 3.2.7

Also available in: Atom PDF