Defect #12287
open
Time entries of private issues are visible by users without permission to see them
0%
Description
By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.
Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)
Related issues
Updated by Daniel Felix over 12 years ago
- Status changed from New to Confirmed
- Priority changed from Normal to High
Hi,
i can confirm this with current trunk (10781)!
Updated by Ricardo S over 12 years ago
This can be fixed with the following modifications on the TimeEntry model:
# Create this method
def self.visible_condition(user, options={})
"(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})"
end
# Update the :visible scope
scope :visible, lambda {|*args| {
:include => [:project, :issue],
:conditions => TimeEntry.visible_condition(args.shift || User.current, *args)
}}
With these changes, time entries on private issues will no longer be visible neither on search results page nor on the /projects/:id/time_entries page.
Updated by Etienne Massip over 12 years ago
- Target version set to Candidate for next minor release
Updated by Toshi MARUYAMA
Updated by Marius BÄ‚LTEANU over 8 years ago
Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.
Is this a defect or it's the expected behaviour?
Updated by Mischa The Evil almost 3 years ago
- Has duplicate Defect #37729: Time entries listed/visible even for issues not accessible by user added
Updated by Mischa The Evil almost 3 years ago
- Status changed from Confirmed to Needs feedback
Marius BALTEANU wrote:
[...]
Is this a defect or it's the expected behaviour?
I don't think it is a defect. Time entry visibility is (and has always been) independent of issue visibility. Time entries and issues aren't coupled in any way regarding object visibility. AFAIK was such coupling never intended to be part of the scope of issue #7412, #7414 nor #8929.
Instead, time entry visibility depends entirely on the :view_time_entries permission together with the "time logs visibility" role setting that determines if the role can view all or own time entries only.
Given the above I'd say we can close this issue as 'wont fix'. However, given the observed expectations and the potential implications, it might be a good idea to open a new feature request for an option to also take issue visibility and/or even issue permissions into account when considering time entry visibility.
What do you think?