Project

General

Profile

Actions

Defect #12287

open

Time entries of private issues are visible by users without permission to see them

Added by Ricardo S over 11 years ago. Updated over 1 year ago.

Status:
Needs feedback
Priority:
High
Assignee:
-
Category:
Time tracking
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.

Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)


Related issues

Has duplicate Redmine - Defect #37729: Time entries listed/visible even for issues not accessible by userClosed

Actions
Actions #1

Updated by Daniel Felix over 11 years ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to High

Hi,

i can confirm this with current trunk (10781)!

Actions #2

Updated by Ricardo S over 11 years ago

This can be fixed with the following modifications on the TimeEntry model:

  # Create this method
  def self.visible_condition(user, options={})
     "(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})" 
  end

  # Update the :visible scope
  scope :visible, lambda {|*args| {
    :include => [:project, :issue],
    :conditions => TimeEntry.visible_condition(args.shift || User.current, *args)
  }}

With these changes, time entries on private issues will no longer be visible neither on search results page nor on the /projects/:id/time_entries page.

Actions #3

Updated by Etienne Massip over 11 years ago

  • Target version set to Candidate for next minor release
Actions #4

Updated by Toshi MARUYAMA over 11 years ago

What status is this issue?

Actions #5

Updated by Marius BÄ‚LTEANU about 7 years ago

Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.

Is this a defect or it's the expected behaviour?

Actions #6

Updated by Mischa The Evil over 1 year ago

  • Has duplicate Defect #37729: Time entries listed/visible even for issues not accessible by user added
Actions #7

Updated by Mischa The Evil over 1 year ago

  • Status changed from Confirmed to Needs feedback

Marius BALTEANU wrote:

[...]

Is this a defect or it's the expected behaviour?

I don't think it is a defect. Time entry visibility is (and has always been) independent of issue visibility. Time entries and issues aren't coupled in any way regarding object visibility. AFAIK was such coupling never intended to be part of the scope of issue #7412, #7414 nor #8929.
Instead, time entry visibility depends entirely on the :view_time_entries permission together with the "time logs visibility" role setting that determines if the role can view all or own time entries only.

Given the above I'd say we can close this issue as 'wont fix'. However, given the observed expectations and the potential implications, it might be a good idea to open a new feature request for an option to also take issue visibility and/or even issue permissions into account when considering time entry visibility.

What do you think?

Actions

Also available in: Atom PDF