Users can assign a user/group which is not a member of current project, or even a user that doesn't exist
Tested on Redmine 3.2.0
(I consider it as a bug, but it may be standard behaviour, which would be a really strange design decision)
I discovered this after receiving a report that the group which was assigned on an issue couldn't see it. This was normal, because the group was not a member of the related project. But I don't know how the issue could have been assigned to this group since only project members are assignable (even after investigating, I still don't know how it could have happened).
So I uninstalled all plugins on my integration environment, to avoid any plugin-related strange behaviour which could cause that. Then tried to replace the currently assigned user/group ID directly in HTML page (with Chrome "Inspect Element"), just to see if it was a client or server side problem. This led me to this bug report :
- When replacing with the ID of another user/group from same project, the issue is saved normally, and the issue is assigned to given group (this is standard behaviour)
- When replacing by the ID of a user/group which is NOT a member of the project, (this should not work. Even though assigned user/group can't see the issue, it shouln't even be assignable in the first place)
- When replacing by the ID of a group which is un-assignable globally (= has only an un-assignable role),
- When replacing by the ID of a non-existing user/group, (when the issue is saved, the current assignee is just set to "" in web page, and the given ID is set in database)
This doesn't seem to be the proper way it should be working.
It also allows user/group listing across the entire Redmine instance, which could be considered as a security threat.
PS : I can't test on a more recent version than 3.2.0 ATM, sorry for that. (it takes 10 sec to reproduce, just inspect element with Chrome, set ID to "9999999" for currently selected option, and save issue)
- Status changed from New to Closed
- Resolution set to Fixed