Only allow visible custom fields as aggregation criteria in time reports
|Assignee:||Go MAEDA||% Done:|
In time reports, the user can currently select any custom field defined in the Redmine system as an aggregation criteria. This can lead to confusion since the returned data might not reflect the custom field or might even lead to an information leak regarding the existence of a hidden custom field. The data returned in the report itself is correctly filtered so that the field is only considered if it is actually visible to the current user.
The attached patch filters the custom fields available as aggregation criteria in the report to only allow the use of visible custom fields.
Only allow the use of visible custom fields in time entry reports (#29162).
Patch by Holger Just.
- Related to Patch #29161: Avoid SQL errors when adding a project custom field as a time report criteria added
With just this patch, we can avoid the consequences of #29161 (at least I have not found any other place where this is an issue). Still, we should also apply #29161 to make the method save to use for ProjectCustomFields.
- Target version set to Candidate for next minor release
- File firstname.lastname@example.org added
- Target version changed from Candidate for next minor release to 3.3.9
I confirmed the problem. Setting the target version to 3.3.9.
- Status changed from New to Resolved
- Assignee set to Go MAEDA
- Status changed from Resolved to Closed
- Target version changed from 3.3.9 to 4.0.0
Committed. Thank you for detecting and fixing this issue.
Also available in: Atom