Project

General

Profile

Actions

Defect #2589

closed

Cross project issue relations and user permissions

Added by Brad Beattie about 15 years ago. Updated about 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Issues
Target version:
Start date:
2009-01-26
Due date:
% Done:

0%

Estimated time:
1.00 h
Resolution:
Fixed
Affected version:

Description

I have an odd use-case here. Administrator Alice enables cross-project issue relations, creates a private project and creates issue 1 (an issue User Bob can't see). Bob, who belongs to a public project, creates issue 2. Being the sneaky user that he is, he wants to see what tickets private trackers have. He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!

Basically, cross-project issue relations aren't respecting user permissions to see the ticket (or its subject). The issue relation could be kept, for sure, just not displayed to that user.

I gather the fix is to restrict what issue relations show according the the viewing user's permissions, yeah?

Actions #1

Updated by Jean-Philippe Lang about 15 years ago

He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!

This is fixed in r2323. Users are no longer able to add relation on tickets they're not allowed to view.

TODO: do not show a relation if the related issue can not be viewed.

Actions #2

Updated by Jean-Philippe Lang about 15 years ago

  • Status changed from New to Closed
  • Target version set to 0.9.0
  • Resolution set to Fixed

Last part is fixed in r2343.
The relation will be hidden if the user is not allowed to view the related issue.

Actions

Also available in: Atom PDF