Project

General

Profile

Actions
Copy link

Defect #20206

closed

Members w/o view issues permission are able to list issues on public projects if the non member role has the permission

Added by Toshi MARUYAMA about 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jean-Philippe Lang
Category:
Issues
Target version:
3.1.0
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
3.0.3

Description

Direct links return 403.
  • /issues/<id>
  • /projects/<id>/issues

But issues of project with no "View Issues" role are listed on "View all issues".

Related issues

Related to Redmine - Defect #19602: Non-Reporter role cannot see issue listNeeds feedback

Actions
Actions
Copy link
 #1

Updated by Jean-Philippe Lang almost 10 years ago

This happens because your "Non member" role has the "View issues" permission.
Issue.visible and Issue#visible? doesn't behave the same in this particular case. Issue.visible considers the non member permissions even for members, but Issue#visible? does not. I think that members should not have less permissions than non members and behaviour should be aligned on the Issue.visible scope.

Actions
Copy link
 #2

Updated by Jean-Philippe Lang almost 10 years ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed
Actions
Copy link
 #3

Updated by Jean-Philippe Lang almost 10 years ago

  • Subject changed from "View all issues"lists issues nevertheless role has no "View Issues" to Members w/o view issues permission are able to list issues on public projects if the non member role has the permission
Actions
Copy link
 #4

Updated by Toshi MARUYAMA almost 10 years ago

  • Related to Defect #19602: Non-Reporter role cannot see issue list added
Actions
Copy link

Also available in: Atom PDF