Defect #14219
closed
Escalating privileges
0%
Description
Scenario 1:
Say I have 2 roles:
- Supervisor, with create project and create subprojects privileges
- Manager, with create subprojects privilege
They are listed IN THAT ORDER in Roles section.
Manager cannot at this point create anything but subprojects
Now, a Supervisor creates a project, and appoints some user with Manager role.
This user creates a subproject. He is somehow by default given Supervisor role for that project. He now has supervisor privileges and can create main projects.
This does not occur if Manager comes first in Roles list. Then by default, the Manager role is assigned to the user in subproject.
Scenario 2:
- Supervisor, with create project, Manage members and create subprojects privileges
- Manager, with Manage members privilege
Manager can simply go to "Setting > Members" of that project, edit his membership and assigns himself Supervisor role. Now he can create new projects, etc.
Is this normal behaviour?
Updated by Jean-Philippe Lang over 12 years ago
- Status changed from New to Closed
- Resolution set to Invalid
Tor Holden wrote:
Scenario 1:
This user creates a subproject. He is somehow by default given Supervisor role for that project. He now has supervisor privileges and can create main projects.
When a non-admin creates a project, he is given the first role available by default. You can choose a different role (eg. Manager) for that in Application settings -> Projects.
Scenario 2:
- Supervisor, with create project, Manage members and create subprojects privileges
- Manager, with Manage members privilegeManager can simply go to "Setting > Members" of that project, edit his membership and assigns himself Supervisor role. Now he can create new projects, etc.
A member with manage members permissions can indeed manage all members and their roles.
Is this normal behaviour?
Yes, I'm closing it as all of this is the expected behaviour. Being able to restrict the list of roles that a user could manage would be a nice addition in regard to Scenario 2 (eg. restricting a manager to manage developers roles only). Please open a feature request if you find this feature desirable.