Defect #12287
Time entries of private issues are visible by users without permission to see them
| Status: | Confirmed | Start date: | ||
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Time tracking | |||
| Target version: | Candidate for next minor release | |||
| Resolution: | Affected version: |
Description
By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.
Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)
History
#1
Updated by Daniel Felix almost 6 years ago
- Status changed from New to Confirmed
- Priority changed from Normal to High
Hi,
i can confirm this with current trunk (10781)!
#2
Updated by Ricardo S almost 6 years ago
This can be fixed with the following modifications on the TimeEntry model:
# Create this method
def self.visible_condition(user, options={})
"(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})"
end
# Update the :visible scope
scope :visible, lambda {|*args| {
:include => [:project, :issue],
:conditions => TimeEntry.visible_condition(args.shift || User.current, *args)
}}
With these changes, time entries on private issues will no longer be visible neither on search results page nor on the /projects/:id/time_entries page.
#3
Updated by Etienne Massip almost 6 years ago
- Target version set to Candidate for next minor release
#4
Updated by Toshi MARUYAMA over 5 years ago
What status is this issue?
#5
Updated by Marius BALTEANU over 1 year ago
Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.
Is this a defect or it's the expected behaviour?