Defect #2703
Link to Changesets is shown to User without credential
| Status: | New | Start date: | 2009-02-09 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Permissions and roles | |||
| Target version: | - | |||
| Affected version: | devel | Resolution: |
Description
The link to a changeset, which updated a ticket status, in ticket comments is shown to users, even if they dont have the creadentials to view the changeset.
So the user gets a "you're not allowed to access this" error page on accidently clicking on the link.
History
#1 Updated by Jean-Baptiste Barth almost 3 years ago
- Affected version changed from 0.8.0 to devel
I think it's a much more general issue : nearly wherever you are in Redmine, there can be links you can't follow if you do not have the "View" permission on the section/module. It might be difficult to do this without coupling links parsing and permissions... Any thought about that ?
#2 Updated by Toshi MARUYAMA about 2 years ago
- Category set to Permissions and roles