Users can see all groups when adding a filter "Assignee's Group"
Djordjije Crni wrote:
User can see the names of all groups on Redmine, by selecting issue filter by "Assignee's group"!
This happens even if issue assignment to groups isn't allowed.
I've expected to see only the names of those groups which are assigned to that project in the filter list.
And guess what, almost all group names (in my case) are constructed from two parts: project role and project name. Very original idea, isn't it?
In this case, customer can easily guess names of all projects, which is not acceptible at all.
It seems that current Redmine user/group permission model can't provide reliable customer/project isolation.
"Workaround" could be to give meaningless names to groups, and even better, give meaningless names to projects also?
We have the same issue. We create a group for each customer who is accessing Redmine, and the group name is the customer name. This way, any customer can access our whole customer list.
Thanks in advance for your feedback.
Updated by Markus Peter over 9 years ago
A solution would be to only list groups which are linked to a role in the current project.
In our case (a group for each client), this would effectively prevent our clients from seeing each other.
We now have to link all client users directly to their projects in order to bypass the creation of a group.
Updated by Rafał Lisowski over 9 years ago
I just disabled filter by group. No one use it at my company so it was the easiest way to prevent data leakage.
I don't have time now to impelement Marcus Peter solution: "only list groups which are linked to a role in the current project".
Updated by Jean-Philippe Lang almost 9 years ago
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Target version set to 3.0.0
- Resolution set to Fixed
Fixed by r13584. Depending on Users visibility setting on roles, the group filter will list groups linked to visible projects only.