Project

General

Profile

Forums » Open discussion »

Shared Versions visible to users who do not have access to the project

Added by @ go2null over 11 years ago

Consider the following projects/Versions tree:

Project-A
+ Project-A1
  + Version-A1a
+ Project-A2
  + Version-A2a

User-A1 has access to Project-A1, but not to Project-A2.
Similarly, User-A2 has access to Project-A2, but not to Project-A1.

Version-A1a is shared with all projects.
Version-V2a is shared with project tree.

What I found is that Version-A1a is visible to User-A2, although User-A2 cannot see Project-A1.
And similarly, Version-A2a is visible to User-A1, although User-A1 cannot see Project-A2.

This seems like a security breakdown.

Asking the forum for some guidance in understanding the rationale.

Environment:
  Redmine version                          2.1.0.stable
  Ruby version                             1.9.2 (x86_64-linux)
  Rails version                            3.2.8
  Environment                              production
  Database adapter                         Mysql2

Replies (6)

RE: Shared Versions visible to users who do not have access to the project - Added by Jean-Philippe Lang over 11 years ago

I understand that this may not suit your needs but this is the expected behaviour. Users are supposed to see all versions of projects they have access to. From the user's guide (RedmineProjectSettings):

Sharing a version of a private project with public projects will make its name visible to everyone.

RE: Shared Versions visible to users who do not have access to the project - Added by @ go2null over 11 years ago

I guess what makes this unexpected is that there are no Public projects in the tree.

There is only 1 public project, and even when I change it to non-public, the behaviour is the same - users can see versions of projects that they do not belong to.

It seems that the project permissions are being ignored, and only the tree sharing is looked at.

RE: Shared Versions visible to users who do not have access to the project - Added by Terence Mill over 11 years ago

James R wrote:

I guess what makes this unexpected is that there are no Public projects in the tree.

There is only 1 public project, and even when I change it to non-public, the behaviour is the same - users can see versions of projects that they do not belong to.

It seems that the project permissions are being ignored, and only the tree sharing is looked at.

You have to imagine that the version is shared in meaning of a copy (with permanent sync in both projects). The permission set in the parent project don't affect this origin version item, because version in childs are copies of it, not the original version. Every version copy is only affected by its childs permission rules not by the parents ones. Its another mental model, thats helps to undertsand mabye.

If you want to share permission also together with versions i would create a user group in redmine and then enable this group in all projects down the tree with the corresponding role(s) as in the parent project of the origin version. That's how we do it. Its some clicks more, but still easy to maintain for us. And we have about 50 projects.

RE: Shared Versions visible to users who do not have access to the project - Added by @ go2null over 11 years ago

Terence Mill wrote:

You have to imagine that the version is shared in meaning of a copy (with permanent sync in both projects). The permission set in the parent project don't affect this origin version item, because version in childs are copies of it, not the original version. Every version copy is only affected by its childs permission rules not by the parents ones. Its another mental model, thats helps to undertsand mabye.

OK, understood. So, in RedmineProjectSettings

Sharing a version of a private project with public projects will make its name visible to everyone.

should be more like

Sharing a version will make it visible to all users of the the projects it is shared with.
  • Public Projects: Sharing a version of a private project with public projects will make its name visible to everyone.
  • Permissions: The permissions from the original project are not enforced in the target projects, rather, the permissions of the target project are used. See forum RE: Shared Versions visible to users who do not have acce....)

If this accurately describes how versions are shared, then I'll update the wiki.

Terence Mill wrote:

If you want to share permission also together with versions i would create a user group in redmine and then enable this group in all projects down the tree with the corresponding role(s) as in the parent project of the origin version. That's how we do it. Its some clicks more, but still easy to maintain for us. And we have about 50 projects.

I'm a bit unclear on this, could you please provide an example?

RE: Shared Versions visible to users who do not have access to the project - Added by Massimo Rossello almost 11 years ago

Posted the feature #14236 with an attached patch over redmine 2.3.1

RE: Shared Versions visible to users who do not have access to the project - Added by Terence Mill almost 11 years ago

James R wrote:

I'm a bit unclear on this, could you please provide an example?

You give a group of users you want have access to some projects version a role in this projects "show issues"

    (1-6/6)