Defect #9405

Any user with :log_time permission can edit time entries via context menu

Added by Jevgen Gyrynovych about 6 years ago. Updated almost 6 years ago.

Status:ClosedStart date:2011-10-11
Priority:HighDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Time tracking
Target version:1.2.3
Resolution:Fixed Affected version:

Description

In Redmine 1.2.0 or later any user can edit any time entries via context menu.
Example url: http://redmine/projects/testproject/time_entries and click right mouse button on any time entries.
img1.png - user have permission to edit any time entries
img2-4.png - user edit time entries without permission on it.

As you can see, user with permissions have icons for edit time report, but user without permissions can do this via context menu anyway.

PS: I set high priority to ticket. I think, this serious defect?

img1.png (16.7 KB) Jevgen Gyrynovych, 2011-10-11 19:31

img2.png (13.6 KB) Jevgen Gyrynovych, 2011-10-11 19:31

img3.png (16.9 KB) Jevgen Gyrynovych, 2011-10-11 19:31

img4.png (16.4 KB) Jevgen Gyrynovych, 2011-10-11 19:31

redmine.rb.patch Magnifier (1.16 KB) Jevgen Gyrynovych, 2011-11-25 15:40


Related issues

Related to Redmine - Feature #7996: Bulk edit and context menu for time entries Closed

Associated revisions

Revision 7920
Added by Jean-Philippe Lang almost 6 years ago

Fixed that :view_time_entries permission allows time entry editing (#9405).

Revision 7921
Added by Jean-Philippe Lang almost 6 years ago

Fixed that :edit_time_entries permission allows creating time entries (#9405).

Revision 7922
Added by Jean-Philippe Lang almost 6 years ago

Fixed time entries context menu display according permissions (#9405).

Revision 7924
Added by Jean-Philippe Lang almost 6 years ago

Fixed: log time form not displayed on issue edit with :log_time permission only (#9405).

Revision 8158
Added by Jean-Philippe Lang almost 6 years ago

Merged r7920, r7921, r7922 and r7924 from trunk (#9405).

History

#1 Updated by Etienne Massip about 6 years ago

  • Category set to Time tracking

#2 Updated by Mischa The Evil about 6 years ago

  • Priority changed from High to Normal

I'm not able to reproduce this issue with source:/trunk@7623.

Are you sure that you were not testing this with an account configured as an administrator?

#3 Updated by Toshi MARUYAMA about 6 years ago

  • Priority changed from Normal to High

I can reproduce.

#5 Updated by Etienne Massip about 6 years ago

  • Target version set to Candidate for next minor release

#6 Updated by Mischa The Evil about 6 years ago

Ahh, I see... Thanks for your clarification on this Toshi. I was testing with an account that did not had the :log_time permission at all :-/

#7 Updated by Jean-Philippe Lang about 6 years ago

  • Target version changed from Candidate for next minor release to 1.2.3

#8 Updated by Jean-Philippe Lang almost 6 years ago

  • Status changed from New to Resolved

See related commits.

#9 Updated by Jean-Philippe Lang almost 6 years ago

  • Assignee set to Jean-Philippe Lang

#10 Updated by Jevgen Gyrynovych almost 6 years ago

Now it work fine. Thanks.

#11 Updated by Jevgen Gyrynovych almost 6 years ago

I find some problem after apply the patch - when user tried to update ticket(e.g. nuber_of_ticket/edit), he dont have access to "Log time".
It fix that problem.

#12 Updated by Jean-Philippe Lang almost 6 years ago

I don't know what this patch is supposed to fix but :log_time should not allow the user to edit time entries.
I fixed a last point in r7924 which may be related to your fix.

#13 Updated by Jean-Philippe Lang almost 6 years ago

  • Subject changed from any user can edit time entries via context menu to Any user with :log_time permission can edit time entries via context menu
  • Status changed from Resolved to Closed
  • Resolution set to Fixed

Merged in 1.2-stable.

Also available in: Atom PDF