Defect #9405
Any user with :log_time permission can edit time entries via context menu
| Status: | Closed | Start date: | 2011-10-11 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | Jean-Philippe Lang | % Done: | 0% |
|
| Category: | Time tracking | |||
| Target version: | 1.2.3 | |||
| Affected version: | Resolution: | Fixed |
Description
In Redmine 1.2.0 or later any user can edit any time entries via context menu.
Example url: http://redmine/projects/testproject/time_entries and click right mouse button on any time entries.
img1.png - user have permission to edit any time entries
img2-4.png - user edit time entries without permission on it.
As you can see, user with permissions have icons for edit time report, but user without permissions can do this via context menu anyway.
PS: I set high priority to ticket. I think, this serious defect?
img1.png (16.7 kB)
img2.png (13.6 kB)
img3.png (16.9 kB)
img4.png (16.4 kB)
redmine.rb.patch
(1.2 kB)
Related issues
Associated revisions
Fixed that :view_time_entries permission allows time entry editing (#9405).
Fixed that :edit_time_entries permission allows creating time entries (#9405).
Fixed time entries context menu display according permissions (#9405).
Fixed: log time form not displayed on issue edit with :log_time permission only (#9405).
History
#1 Updated by Etienne Massip 8 months ago
- Category set to Time tracking
#2 Updated by Mischa The Evil 8 months ago
- Priority changed from High to Normal
I'm not able to reproduce this issue with source:/trunk@7623.
Are you sure that you were not testing this with an account configured as an administrator?
#4 Updated by Toshi MARUYAMA 8 months ago
This line has a bug.
source:trunk/app/controllers/context_menus_controller.rb#L54
#5 Updated by Etienne Massip 8 months ago
- Target version set to Candidate for next minor release
#6 Updated by Mischa The Evil 8 months ago
Ahh, I see... Thanks for your clarification on this Toshi. I was testing with an account that did not had the :log_time permission at all :-/
#7 Updated by Jean-Philippe Lang 7 months ago
- Target version changed from Candidate for next minor release to 1.2.3
#8 Updated by Jean-Philippe Lang 6 months ago
- Status changed from New to Resolved
See related commits.
#9 Updated by Jean-Philippe Lang 6 months ago
- Assignee set to Jean-Philippe Lang
#10 Updated by Jevgen Gyrynovych 6 months ago
Now it work fine. Thanks.
#11 Updated by Jevgen Gyrynovych 6 months ago
- File redmine.rb.patch added
I find some problem after apply the patch - when user tried to update ticket(e.g. nuber_of_ticket/edit), he dont have access to "Log time".
It fix that problem.
#12 Updated by Jean-Philippe Lang 6 months ago
I don't know what this patch is supposed to fix but :log_time should not allow the user to edit time entries.
I fixed a last point in r7924 which may be related to your fix.
#13 Updated by Jean-Philippe Lang 6 months ago
- Subject changed from any user can edit time entries via context menu to Any user with :log_time permission can edit time entries via context menu
- Status changed from Resolved to Closed
- Resolution set to Fixed
Merged in 1.2-stable.