Project

General

Profile

Actions

Defect #20206

closed

Members w/o view issues permission are able to list issues on public projects if the non member role has the permission

Added by Toshi MARUYAMA over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Category:
Issues
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Direct links return 403.
  • /issues/<id>
  • /projects/<id>/issues

But issues of project with no "View Issues" role are listed on "View all issues".


Related issues

Related to Redmine - Defect #19602: Non-Reporter role cannot see issue listNeeds feedback

Actions
Actions #1

Updated by Jean-Philippe Lang over 8 years ago

This happens because your "Non member" role has the "View issues" permission.
Issue.visible and Issue#visible? doesn't behave the same in this particular case. Issue.visible considers the non member permissions even for members, but Issue#visible? does not. I think that members should not have less permissions than non members and behaviour should be aligned on the Issue.visible scope.

Actions #2

Updated by Jean-Philippe Lang over 8 years ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed
Actions #3

Updated by Jean-Philippe Lang over 8 years ago

  • Subject changed from "View all issues"lists issues nevertheless role has no "View Issues" to Members w/o view issues permission are able to list issues on public projects if the non member role has the permission
Actions #4

Updated by Toshi MARUYAMA over 8 years ago

  • Related to Defect #19602: Non-Reporter role cannot see issue list added
Actions

Also available in: Atom PDF