Project

General

Profile

Actions
Copy link

Defect #12287

closed

Time entries of private issues are visible by users without permission to see them

Added by Ricardo S about 13 years ago. Updated 11 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Time tracking
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.

Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)

Related issues

Has duplicate Redmine - Defect #37729: Time entries listed/visible even for issues not accessible by userClosed

Actions
Actions
Copy link
 #1

Updated by Daniel Felix about 13 years ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to High

Hi,

i can confirm this with current trunk (10781)!

Actions
Copy link
 #2

Updated by Ricardo S almost 13 years ago

This can be fixed with the following modifications on the TimeEntry model:

  # Create this method
  def self.visible_condition(user, options={})
     "(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})" 
  end

  # Update the :visible scope
  scope :visible, lambda {|*args| {
    :include => [:project, :issue],
    :conditions => TimeEntry.visible_condition(args.shift || User.current, *args)
  }}

With these changes, time entries on private issues will no longer be visible neither on search results page nor on the /projects/:id/time_entries page.

Actions
Copy link
 #3

Updated by Etienne Massip almost 13 years ago

  • Target version set to Candidate for next minor release
Actions
Copy link
 #4

Updated by Toshi MARUYAMA over 12 years ago

What status is this issue?

Actions
Copy link
 #5

Updated by Marius BÄ‚LTEANU over 8 years ago

Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.

Is this a defect or it's the expected behaviour?

Actions
Copy link
 #6

Updated by Mischa The Evil about 3 years ago

  • Has duplicate Defect #37729: Time entries listed/visible even for issues not accessible by user added
Actions
Copy link
 #7

Updated by Mischa The Evil about 3 years ago

  • Status changed from Confirmed to Needs feedback

Marius BALTEANU wrote:

[...]

Is this a defect or it's the expected behaviour?

I don't think it is a defect. Time entry visibility is (and has always been) independent of issue visibility. Time entries and issues aren't coupled in any way regarding object visibility. AFAIK was such coupling never intended to be part of the scope of issue #7412, #7414 nor #8929.
Instead, time entry visibility depends entirely on the :view_time_entries permission together with the "time logs visibility" role setting that determines if the role can view all or own time entries only.

Given the above I'd say we can close this issue as 'wont fix'. However, given the observed expectations and the potential implications, it might be a good idea to open a new feature request for an option to also take issue visibility and/or even issue permissions into account when considering time entry visibility.

What do you think?

Actions
Copy link
 #8

Updated by Go MAEDA 11 days ago

  • Status changed from Needs feedback to Closed
  • Priority changed from High to Normal
  • Target version deleted (Candidate for next minor release)
  • Resolution set to Wont fix

This should be an expected behavior. Please see #note-5 and #note-7. Closing.

Actions
Copy link

Also available in: Atom PDF