Defect #2589
closed
Cross project issue relations and user permissions
0%
Description
I have an odd use-case here. Administrator Alice enables cross-project issue relations, creates a private project and creates issue 1 (an issue User Bob can't see). Bob, who belongs to a public project, creates issue 2. Being the sneaky user that he is, he wants to see what tickets private trackers have. He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!
Basically, cross-project issue relations aren't respecting user permissions to see the ticket (or its subject). The issue relation could be kept, for sure, just not displayed to that user.
I gather the fix is to restrict what issue relations show according the the viewing user's permissions, yeah?
Updated by Jean-Philippe Lang over 16 years ago
He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!
This is fixed in r2323. Users are no longer able to add relation on tickets they're not allowed to view.
TODO: do not show a relation if the related issue can not be viewed.
Updated by Jean-Philippe Lang over 16 years ago
- Status changed from New to Closed
- Target version set to 0.9.0
- Resolution set to Fixed
Last part is fixed in r2343.
The relation will be hidden if the user is not allowed to view the related issue.