Project

General

Profile

Actions

Defect #13682

closed

Permission "Commit access" affected by role ID instead of role position

Added by Tharuka Pathirana almost 11 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Permissions and roles
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

When several roles affect a user in a project, the effective "commit access" permission depends on the assigned roles' IDs instead of their position under "Administration >> Roles and permission".

Here is an example. Suppose we have these roles set up in this order:

Role id SVN Read access SVN Commit access
Developer 4 Yes Yes
User 5 - -
Customer 6 Yes -

What happens if we assign a user a combination of roles, this is what happens:

Role(s) Can read Can commit As expected?
A. Customer Yes - Yes
B. User - - Yes
C. Developer Yes Yes Yes
D. Customer, User Yes - Yes(?)
E. Customer, Developer Yes - No
F. User, Developer - - No
G. Customer, User, Developer Yes - No

In combination D. I'm not sure whether the absence of the READ permission in the role "User" should override the READ permission of the role "Customer". I don't think so as I believe that the default is denied permission unless explicitly allowed by a role. But I don't know in what way the order of the roles are supposed to influence the permissions.

In E., F. and G. it becomes clear that not the order of the roles has influence, but their respective ID. In all three combinations the user should have READ als well as COMMIT permission. But that's not the case.

If, however, I change permissions to the following, keeping the order of the roles:

Role id SVN Read access SVN Commit access
Developer 4 Yes -
User 5 - -
Customer 6 Yes Yes

Then this is what happens:

Role(s) Can read Can commit As expected?
A. Customer Yes Yes Yes
B. User - - Yes
C. Developer Yes - Yes
D. Customer, User Yes Yes Yes(?)
E. Customer, Developer Yes Yes Yes(?)
F. User, Developer - - No
G. Customer, User, Developer Yes Yes Yes

In D. even though "User" is above "Customer" the user has READ and COMMIT access because the "Customer" role overrides the "User" role (or the "Developer" role in E.) because it has a higher ID (as opposed to combination F. in the first example above).

So essentially:
Is the order of the roles supposed to have influence on what resulting permissions a user has if they have several roles assigned?
If yes, then the "position" and not the "id" is supposed to be the affecting attribute.
If no, then neither "position" (order of the roles) nor their "id" should affect the resulting permission.

Actions #1

Updated by Go MAEDA over 2 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

Tharuka Pathirana wrote:

Is the order of the roles supposed to have influence on what resulting permissions a user has if they have several roles assigned?

Both id and position are completely unrelated to the permissions applied to a user. RedmineRoles says that "if a member has multiple roles in a project, the permissions applied to the member is the combination of all roles' permissions".

Actions

Also available in: Atom PDF