Defect #2589

Cross project issue relations and user permissions

Added by Brad Beattie over 8 years ago. Updated over 8 years ago.

Status:ClosedStart date:2009-01-26
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:IssuesEstimated time:1.00 hour
Target version:0.9.0
Resolution:Fixed Affected version:

Description

I have an odd use-case here. Administrator Alice enables cross-project issue relations, creates a private project and creates issue 1 (an issue User Bob can't see). Bob, who belongs to a public project, creates issue 2. Being the sneaky user that he is, he wants to see what tickets private trackers have. He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!

Basically, cross-project issue relations aren't respecting user permissions to see the ticket (or its subject). The issue relation could be kept, for sure, just not displayed to that user.

I gather the fix is to restrict what issue relations show according the the viewing user's permissions, yeah?

Associated revisions

Revision 2323
Added by Jean-Philippe Lang over 8 years ago

Fixed: users should not be able to add relations with issues they're not allowed to view (#2589).

Revision 2343
Added by Jean-Philippe Lang over 8 years ago

Fixed: issue details view discloses relations to issues that the user is not allowed to view (#2589).

History

#1 Updated by Jean-Philippe Lang over 8 years ago

He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!

This is fixed in r2323. Users are no longer able to add relation on tickets they're not allowed to view.

TODO: do not show a relation if the related issue can not be viewed.

#2 Updated by Jean-Philippe Lang over 8 years ago

  • Status changed from New to Closed
  • Target version set to 0.9.0
  • Resolution set to Fixed

Last part is fixed in r2343.
The relation will be hidden if the user is not allowed to view the related issue.

Also available in: Atom PDF