Defect #2589
Cross project issue relations and user permissions
| Status: | Closed | Start date: | 2009-01-26 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Issues | Estimated time: | 1.00 hour | |
| Target version: | 0.9.0 | |||
| Resolution: | Fixed | Affected version: |
Description
I have an odd use-case here. Administrator Alice enables cross-project issue relations, creates a private project and creates issue 1 (an issue User Bob can't see). Bob, who belongs to a public project, creates issue 2. Being the sneaky user that he is, he wants to see what tickets private trackers have. He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!
Basically, cross-project issue relations aren't respecting user permissions to see the ticket (or its subject). The issue relation could be kept, for sure, just not displayed to that user.
I gather the fix is to restrict what issue relations show according the the viewing user's permissions, yeah?
Associated revisions
Fixed: users should not be able to add relations with issues they're not allowed to view (#2589).
Fixed: issue details view discloses relations to issues that the user is not allowed to view (#2589).
History
#1
Updated by Jean-Philippe Lang over 10 years ago
He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!
This is fixed in r2323. Users are no longer able to add relation on tickets they're not allowed to view.
TODO: do not show a relation if the related issue can not be viewed.
#2
Updated by Jean-Philippe Lang over 10 years ago
- Status changed from New to Closed
- Target version set to 0.9.0
- Resolution set to Fixed
Last part is fixed in r2343.
The relation will be hidden if the user is not allowed to view the related issue.