Defect #9566

Redmine.pm considers all projects private when login_required is enabled

Added by Guillaume Perréal about 6 years ago. Updated almost 6 years ago.

Status:ClosedStart date:2011-11-14
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:SCM extra
Target version:1.2.3
Resolution: Affected version:1.2.2

Description

When the "login_required" setting is enabled, Redmine.pm consider all projects as private, which prevents non-member access to public projects.

Associated revisions

Revision 7808
Added by Jean-Philippe Lang about 6 years ago

Fixed: Redmine.pm considers all projects private when login_required is enabled (#9566).

Revision 7834
Added by Jean-Philippe Lang about 6 years ago

Fixed: Redmine.pm considers all projects private when login_required is enabled (#9566).

Revision 8119
Added by Jean-Philippe Lang almost 6 years ago

Merged r7834 from trunk (#9566).

History

#1 Updated by Jean-Philippe Lang about 6 years ago

  • Status changed from New to Resolved
  • Resolution set to Fixed

This should be fixed in r7808. Can you confirm?

#2 Updated by Jean-Philippe Lang about 6 years ago

  • Assignee set to Jean-Philippe Lang

#3 Updated by Guillaume Perréal about 6 years ago

With r7808, providing any login/password always allows reading on public projects, even if the user does not exist or the password is wrong.

#4 Updated by Jean-Philippe Lang about 6 years ago

  • Status changed from Resolved to Confirmed
  • Resolution deleted (Fixed)

Indeed and I've just reverted it. The fix needs more refactoring.

#5 Updated by Jean-Philippe Lang about 6 years ago

  • File 9566.patch added

The attached patch should handle the access of non members. Feedback is welcome.

#6 Updated by Guillaume Perréal about 6 years ago

I think "cast(projects.is_public as CHAR) IN ('t', '1')" could be handled as "projects.is_public" since it should be a boolean and I do not know if this SQL is allowed with all RDMBS. ("t" is just how DBI returns PostgreSQL true value.) I will test it with Mysql and maybe Sqlite. By the way, I am not sure how this change would affect the RedmineDbQuery directive.

#7 Updated by Jean-Philippe Lang about 6 years ago

Guillaume Perréal wrote:

I think "cast(projects.is_public as CHAR) IN ('t', '1')" could be handled as "projects.is_public" since it should be a boolean

It doesn't work with sqlite3.

and I do not know if this SQL is allowed with all RDMBS. ("t" is just how DBI returns PostgreSQL true value.) I will test it with Mysql and maybe Sqlite.

It should work with mysql, postgresql and sqlite3.

By the way, I am not sure how this change would affect the RedmineDbQuery directive.

The members and member_roles are no longer available for additional conditions but I don't think it really makes sense to add custom conditions on these tables.

#8 Updated by Guillaume Perréal about 6 years ago

There is a small typo in the subquery: it selects member_roles.id where it should be member_roles.role_id. Once fixed, it behaves as expected: I tested it with roles manager, reviever and non-member for reading and writing access.

#9 Updated by Jean-Philippe Lang about 6 years ago

  • Status changed from Confirmed to Resolved
  • Target version set to 1.2.3

Fixed patch applied, thanks for the feedback.

#10 Updated by Jean-Philippe Lang about 6 years ago

  • File deleted (9566.patch)

#11 Updated by Jean-Philippe Lang almost 6 years ago

  • Status changed from Resolved to Closed

Merged.

Also available in: Atom PDF