Defect #13360
closedPermissions of Multiple Roles
0%
Description
- RolA: issue visibiliti setting is "Issues created by or assigned to the user" and it has issue edit permissions.
- RolB: issue visibiliti setting is "All non private issues" and it has issue view permissions, do not edit!
If an user has both of RolA and RolB roles result is:
The user can edit all non private issues.
In my opinion, this is not usual.
Recent Discuss: http://www.redmine.org/boards/1/topics/36188?r=36236#message-36236
Related issues
Updated by Adnan Topçu over 11 years ago
There is a need to issue editing only by assigned user. This is possible fixing this issue or adding new permission like as "edit assigned issue" etc.
Please write your opinions.
Regards
Updated by Go MAEDA over 4 years ago
Adnan Topçu wrote:
There are two roles:
- RolA: issue visibiliti setting is "Issues created by or assigned to the user" and it has issue edit permissions.
- RolB: issue visibiliti setting is "All non private issues" and it has issue view permissions, do not edit!
If an user has both of RolA and RolB roles result is:
The user can edit all non private issues.
I think it is expected behavior. The RedmineRoles page says that "If a member has multiple roles in a project, the permissions applied to the member is the combination of all roles' permissions".
Updated by Matthias Lehmann almost 4 years ago
Go MAEDA wrote:
Adnan Topçu wrote:
There are two roles:
- RolA: issue visibiliti setting is "Issues created by or assigned to the user" and it has issue edit permissions.
- RolB: issue visibiliti setting is "All non private issues" and it has issue view permissions, do not edit!
If an user has both of RolA and RolB roles result is:
The user can edit all non private issues.I think it is expected behavior. The RedmineRoles page says that "If a member has multiple roles in a project, the permissions applied to the member is the combination of all roles' permissions".
That probably depends on the interpretation of "combination". As an example, if one role contains the numbers 10 to 12 and the second role the numbers the numbers 15 to 17, I would expect the combination of both roles to include 10,11,12,15,16,17. You seem to suggest, that the combination includes 10 through to 17, which I personally wouldn't expect. In the specific example brought up by Adnan I would expect the combination to be "view all issues and edit the ones created by or assigned to the user", not "view and edit all issues".
Updated by Go MAEDA almost 4 years ago
Matthias Lehmann wrote:
Go MAEDA wrote:
Adnan Topçu wrote:
There are two roles:
- RolA: issue visibiliti setting is "Issues created by or assigned to the user" and it has issue edit permissions.
- RolB: issue visibiliti setting is "All non private issues" and it has issue view permissions, do not edit!
If an user has both of RolA and RolB roles result is:
The user can edit all non private issues.I think it is expected behavior. The RedmineRoles page says that "If a member has multiple roles in a project, the permissions applied to the member is the combination of all roles' permissions".
That probably depends on the interpretation of "combination". As an example, if one role contains the numbers 10 to 12 and the second role the numbers the numbers 15 to 17, I would expect the combination of both roles to include 10,11,12,15,16,17.
Redmine behaves exactly like that.
Updated by Go MAEDA over 3 years ago
- Status changed from New to Closed
- Resolution set to Wont fix