Defect #25791

Bypass Tracker role-based permissions when copying issues

Added by Shane Coronado 6 months ago. Updated 5 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Issues permissions
Target version:3.3.4
Resolution:Fixed Affected version:3.3.2

Description

Not sure if intended: We use the permission settings for our roles. However, our Developer role is able to create an issue that the role does not have permission to create. This was done by Copying said issue and not changing the Tracker field. By leaving the Tracker field blank, the user is able to create an issue that bypasses the role's permissions.

create_tickets_by_copy.jpg (29.7 KB) Shane Coronado, 2017-05-08 21:28

create_tickets_by_copy2.jpg (24.6 KB) Shane Coronado, 2017-05-08 21:28

create_tickets_by_copy3.jpg (20.2 KB) Shane Coronado, 2017-05-08 21:29

create_tickets_by_copy4.jpg (30.4 KB) Shane Coronado, 2017-05-08 21:29

Associated revisions

Revision 16569
Added by Jean-Philippe Lang 6 months ago

Check tracker permissions when copying an issue (#25791).

History

#1 Updated by Toshi MARUYAMA 6 months ago

  • Target version set to 3.2.7

#2 Updated by Jean-Philippe Lang 6 months ago

  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Fixed in r16569.

#3 Updated by Jean-Philippe Lang 5 months ago

  • Subject changed from Bypass Tracker role-based permissions to Bypass Tracker role-based permissions when copying issues
  • Status changed from Resolved to Closed
  • Target version changed from 3.2.7 to 3.3.4

Tracker role-based permissions are not implemented in 3.2.

Also available in: Atom PDF