Project

General

Profile

Actions

Defect #28069

open

Queries 403 error if query author is not in the roles list

Added by Stephane Evr about 6 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Issues
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

How to reproduce (with vanilla redmine 3.4):

- Go to a project where you are a member with Role A
- create a query and save it. make it visible to Role B
- Save the query

Result:
- Error 403

In my opinion, a query should always be visible to its author, provided that he has sufficient rights to access the project.

How to fix it:
Here: https://github.com/redmine/redmine/blob/7fd04e1f8d36d78ee4f680d0a312c9eac2c65e90/app/models/query.rb#L339

In the case above, a simple check on user == self.user should fix the problem

Actions #1

Updated by Go MAEDA about 1 year ago

  • Category set to Issues
Actions

Also available in: Atom PDF