https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292016-08-24T15:02:16ZRedmineRedmine - Defect #23655: Restricted permissions for non member/anonymous on a given project not workinghttps://www.redmine.org/issues/23655?journal_id=729502016-08-24T15:02:16ZToshi MARUYAMA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Needs feedback</i></li></ul><p>I cannot reproduce on vanilla Redmine <a class="version" href="https://www.redmine.org/versions/117">3.1.6</a>.<br />I think this is fixed by <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Defect: Members w/o view issues permission are able to list issues on public projects if the non member r... (Closed)" href="https://www.redmine.org/issues/20206">#20206</a>.</p> Redmine - Defect #23655: Restricted permissions for non member/anonymous on a given project not workinghttps://www.redmine.org/issues/23655?journal_id=729522016-08-24T16:32:05ZHolger Just
<ul></ul><p>I can reproduce it on 3.2-stable (the Affected version is set to 3.1.3 since this is the latest version available in the custom field). The actual issue was found on a Redmine 3.2.1.</p>
<p><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Defect: Members w/o view issues permission are able to list issues on public projects if the non member r... (Closed)" href="https://www.redmine.org/issues/20206">#20206</a> fixes a related issue for the default non-member role. Now with a custom non-member role, the problem is back. It is however important to strictly reproduce the setup described by Alexander: you need the default non-member role to have the Issue visibility set to all. You also need a <strong>different</strong> role with restricted issue visibility assigned as non-member role for the specific project.</p>
<p>The result is that <code>Project.allowed_to_condition</code> first considers the default non-member role and adds statements since the default role has the permission to view all issues. However, the custom role has not. Now the bug is that <code>Project.allowed_to_condition</code> does not consider custom default-roles in this first step. They are only considered later in <code>User#projects_by_role</code>.</p>
<p>I think a quick patch could look like this (mostly untested):</p>
<pre>
diff --git a/app/models/project.rb b/app/models/project.rb
index 197f45e..9f177ee 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -197,7 +197,7 @@ class Project < ActiveRecord::Base
if role.allowed_to?(permission)
s = "#{Project.table_name}.is_public = #{connection.quoted_true}"
if user.id
- s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id = #{user.id}))"
+ s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} LEFT OUTER JOIN #{Principal.table_name} ON #{Member.table_name}.user_id = #{Principal.table_name}.id WHERE #{Member.table_name}.user_id = #{user.id} OR #{Principal.table_name}.type IN ('GroupAnonymous', 'GroupNonMember')))"
end
statement_by_role[role] = s
end
</pre> Redmine - Defect #23655: Restricted permissions for non member/anonymous on a given project not workinghttps://www.redmine.org/issues/23655?journal_id=729542016-08-25T02:12:43ZToshi MARUYAMA
<ul><li><strong>File</strong> <a href="/attachments/16579">project-setting.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/16579/project-setting.png">project-setting.png</a> added</li><li><strong>File</strong> <a href="/attachments/16580">role.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/16580/role.png">role.png</a> added</li></ul><p>I still cannot reproduce on 3.2-stable.<br />I cannot understand "You also need a different role with restricted issue visibility assigned as non-member role for the specific project."</p>
<p><img src="https://www.redmine.org/attachments/download/16580/role.png" alt="" /></p>
<p><img src="https://www.redmine.org/attachments/download/16579/project-setting.png" alt="" /></p> Redmine - Defect #23655: Restricted permissions for non member/anonymous on a given project not workinghttps://www.redmine.org/issues/23655?journal_id=729642016-08-25T09:27:47ZHolger Just
<ul><li><strong>File</strong> <a href="/attachments/16589">desired_member_settings.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/16589/desired_member_settings.png">desired_member_settings.png</a> added</li></ul><p><a class="user active" href="https://www.redmine.org/users/10651">toshio harita</a>: The role (test02 in your case) needs to be assigned to the project for Non member users, that is, you don't assign the role to an actual user but you set it a custom non-member role for the project. The user can not be an explicit member of the project. This feature to set a custom non-member role was added in <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Custom permissions per project for non member and anonymous users (Closed)" href="https://www.redmine.org/issues/17976">#17976</a>.</p>
<p>The settings screen should thus look like this:</p>
<p><img src="https://www.redmine.org/attachments/download/16589/desired_member_settings.png" alt="" /></p> Redmine - Defect #23655: Restricted permissions for non member/anonymous on a given project not workinghttps://www.redmine.org/issues/23655?journal_id=729692016-08-25T11:39:01ZToshi MARUYAMA
<ul><li><strong>Status</strong> changed from <i>Needs feedback</i> to <i>Confirmed</i></li><li><strong>Target version</strong> set to <i>3.1.7</i></li></ul><p>I got it.</p> Redmine - Defect #23655: Restricted permissions for non member/anonymous on a given project not workinghttps://www.redmine.org/issues/23655?journal_id=730982016-08-30T19:26:03ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Subject</strong> changed from <i>Permissions model applied inconsistently</i> to <i>Restricted permissions for non member/anonymous on a given project not working</i></li><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Resolved</i></li><li><strong>Assignee</strong> set to <i>Jean-Philippe Lang</i></li><li><strong>Resolution</strong> set to <i>Fixed</i></li></ul><p>Fixed in <a class="changeset" title="Fixed that restricted custom permissions on for non member/anonymous does not work (#23655)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/15750">r15750</a>, thanks for pointing this out.</p> Redmine - Defect #23655: Restricted permissions for non member/anonymous on a given project not workinghttps://www.redmine.org/issues/23655?journal_id=731332016-08-31T16:52:28ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Closed</i></li></ul> Redmine - Defect #23655: Restricted permissions for non member/anonymous on a given project not workinghttps://www.redmine.org/issues/23655?journal_id=849122018-05-08T08:41:13ZJens Stein
<ul><li><strong>File</strong> <a href="/attachments/20632">Redmine-2018-05-08-10-19-33.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/20632/Redmine-2018-05-08-10-19-33.png">Redmine-2018-05-08-10-19-33.png</a> added</li><li><strong>File</strong> <a href="/attachments/20633">TicketViewer - Rollen - Redmine-2018-05-08-10-30-58.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/20633/TicketViewer%20-%20Rollen%20-%20Redmine-2018-05-08-10-30-58.png">TicketViewer - Rollen - Redmine-2018-05-08-10-30-58.png</a> added</li></ul><p>It seems as if the problem is back:<br />I added the group "Nicht-Mitglieder" (which is the translated version of "Non member users") in a role called "TicketViewer" to some of our projects and authenticated (so not anonymous) users are not able to view the issues in the project.</p>
<pre>
Informationen
Redmine 3.3.4.stable.16947
</pre>
<p>I add screenshots of the added role in an example project and the roles configuration.<br />Maybe i made a error on setting it up.</p>
Is there any other way to ensure a group (and it should be a dynamically changing group of authenticated users - e.g. employees which don't belong to the project as reporters, developers or any other set of roles/functions within the project), let's call them authenticated non-members,
<ul>
<li>authenticated non-members are able to view tickets</li>
<li>authenticated non-members are not able to view any other module</li>
<li>authenticated non-members are enabled to add themselves to the watchlist</li>
<li>authenticated non-members won't receive any news or forum notifications</li>
</ul>
<p>Any advice, tipps, workarounds?</p>
<p>Thanks in advance,</p>
<p>JT</p>