Defect #20206
Members w/o view issues permission are able to list issues on public projects if the non member role has the permission
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Jean-Philippe Lang | % Done: | 0% | |
| Category: | Issues | |||
| Target version: | 3.1.0 | |||
| Resolution: | Fixed | Affected version: | 3.0.3 |
Description
Direct links return 403.
- /issues/<id>
- /projects/<id>/issues
But issues of project with no "View Issues" role are listed on "View all issues".
Related issues
Associated revisions
Fixed that members without view issues permission are able to list issues on public projects if the non member role has the permission (#20206).
History
#1
Updated by Jean-Philippe Lang over 6 years ago
This happens because your "Non member" role has the "View issues" permission.
Issue.visible and Issue#visible? doesn't behave the same in this particular case. Issue.visible considers the non member permissions even for members, but Issue#visible? does not. I think that members should not have less permissions than non members and behaviour should be aligned on the Issue.visible scope.
#2
Updated by Jean-Philippe Lang about 6 years ago
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
#3
Updated by Jean-Philippe Lang about 6 years ago
- Subject changed from "View all issues"lists issues nevertheless role has no "View Issues" to Members w/o view issues permission are able to list issues on public projects if the non member role has the permission
#4
Updated by Toshi MARUYAMA about 6 years ago
- Related to Defect #19602: Non-Reporter role cannot see issue list added