Defect #28693

Irrelevant permission is required to access some tabs in project settings page

Added by Fabrizio Sebastiani 3 months ago. Updated 3 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Permissions and roles
Target version:3.4.6
Resolution:Fixed Affected version:3.1.2

Description

It is not clear why is necessary to give "Edit project" right to create new Forum and so let "Settings" tab to appears; in fact giving "Forum Manager" right do not let "new forum" command to appears.

tests.patch Magnifier (1.4 KB) Mizuki ISHIKAWA, 2018-05-21 10:10

Associated revisions

Revision 17359
Added by Go MAEDA 3 months ago

Fix: Irrelevant permission is required to access some tabs in project settings page (#28693).

Patch by Go MAEDA.

Revision 17360
Added by Go MAEDA 3 months ago

Tests for r17359 (#28693).

Patch by Mizuki ISHIKAWA.

Revision 17361
Added by Go MAEDA 3 months ago

Merged r17359 and r17360 from trunk to 3.4-stable (#28693).

Revision 17362
Added by Go MAEDA 3 months ago

Fix improper way of getting roles in test_settings_should_show_tabs_depending_on_permission (#28693).

Revision 17363
Added by Go MAEDA 3 months ago

merged r17362 from trunk to 3.4-stable (#28693).

History

#1 Updated by Go MAEDA 3 months ago

  • Category changed from Forums to Permissions and roles

#2 Updated by Go MAEDA 3 months ago

  • Status changed from New to Confirmed

I confirmed the problem in the current trunk r17328.

Users cannot see some tabs in "Settings" tab if they don't have "Edit project", "Manage members", Manage versions" or "Manage issue categories" permission. For example, to access "Forums" tab, users should have one of those permissions in addition to "Manage forum" permission. I think the behavior inconsistent and illogical. Please see the following table for details.

Tab Required permission(s)
Project Edit project
Members Manage members
Issue tracking Edit project
Versions Manage versions
Issue categories Manage issue categories
Repositories Manage repository AND (Edit project OR Manage members OR Manage versions OR Manage issue categories)
Forums Manage forums AND (Edit project OR Manage members OR Manage versions OR Manage issue categories)
Time tracking Manage project activities AND (Edit project OR Manage members OR Manage versions OR Manage issue categories)

#3 Updated by Go MAEDA 3 months ago

Here is a workaround for this issue.

Index: lib/redmine.rb
===================================================================
--- lib/redmine.rb    (revision 17328)
+++ lib/redmine.rb    (working copy)
@@ -125,7 +125,7 @@
     map.permission :log_time, {:timelog => [:new, :create]}, :require => :loggedin
     map.permission :edit_time_entries, {:timelog => [:edit, :update, :destroy, :bulk_edit, :bulk_update]}, :require => :member
     map.permission :edit_own_time_entries, {:timelog => [:edit, :update, :destroy,:bulk_edit, :bulk_update]}, :require => :loggedin
-    map.permission :manage_project_activities, {:project_enumerations => [:update, :destroy]}, :require => :member
+    map.permission :manage_project_activities, {:projects => :settings, :project_enumerations => [:update, :destroy]}, :require => :member
   end

   map.project_module :news do |map|
@@ -163,7 +163,7 @@
     map.permission :browse_repository, {:repositories => [:show, :browse, :entry, :raw, :annotate, :changes, :diff, :stats, :graph]}, :read => true
     map.permission :commit_access, {}
     map.permission :manage_related_issues, {:repositories => [:add_related_issue, :remove_related_issue]}
-    map.permission :manage_repository, {:repositories => [:new, :create, :edit, :update, :committers, :destroy]}, :require => :member
+    map.permission :manage_repository, {:projects => :settings, :repositories => [:new, :create, :edit, :update, :committers, :destroy]}, :require => :member
   end

   map.project_module :boards do |map|
@@ -173,7 +173,7 @@
     map.permission :edit_own_messages, {:messages => :edit, :attachments => :upload}, :require => :loggedin
     map.permission :delete_messages, {:messages => :destroy}, :require => :member
     map.permission :delete_own_messages, {:messages => :destroy}, :require => :loggedin
-    map.permission :manage_boards, {:boards => [:new, :create, :edit, :update, :destroy]}, :require => :member
+    map.permission :manage_boards, {:projects => :settings, :boards => [:new, :create, :edit, :update, :destroy]}, :require => :member
   end

   map.project_module :calendar do |map|

#4 Updated by Go MAEDA 3 months ago

  • Target version set to Candidate for next minor release

#5 Updated by Mizuki ISHIKAWA 3 months ago

I wrote a test of code written by Go MAEDA (#28693#note-3).
This test code will test that project settings and tabs are displayed according to permissions.

#6 Updated by Go MAEDA 3 months ago

  • Subject changed from Edit project right necessary to create new forum to Irrelevant permission is required to access some tabs in project settings page
  • Target version changed from Candidate for next minor release to 3.3.8

Setting target version to 3.3.8.

#7 Updated by Go MAEDA 3 months ago

  • Status changed from Confirmed to Resolved
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

#8 Updated by Go MAEDA 3 months ago

  • Status changed from Resolved to Closed
  • Target version changed from 3.3.8 to 3.4.6

Committed. Thank you all for contributing to the Redmine project.

Also available in: Atom PDF