Defect #35090

Permission check of the setting button on the issues page mismatches button semantics

Added by Felix Schäfer over 1 year ago. Updated 7 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:UI
Target version:4.1.6
Resolution:Fixed Affected version:4.2.0

Description

In source:/tags/4.2.0/app/views/issues/index.html.erb#L16 the link goes to the issues tab of the project settings. The button is only shown if the user has the manage_categories permission but the permission required for this tab is edit_project source:/tags/4.2.0/app/helpers/projects_helper.rb#L28

Note that this is only a UI issue, the button might be shown to users that cannot see the tab that it links to or the button might not be shown to users that would be able to see the tab that it links too, but upon following the link the correct permission is checked. There also is no information disclosure associated with this issue.

fix-35090.patch Magnifier (1.76 KB) Takenori TAKAKI, 2021-10-07 06:46


Related issues

Related to Redmine - Feature #22090: Make project settings more accessible Closed

Associated revisions

Revision 21357
Added by Go MAEDA 7 months ago

Permission check of the setting button on the issues page mismatches button semantics (#35090).

Patch by Takenori TAKAKI.

Revision 21360
Added by Go MAEDA 7 months ago

Merged r21357 from trunk to 4.2-stable (#35090).

Revision 21361
Added by Go MAEDA 7 months ago

Merged r21357 from trunk to 4.1-stable (#35090).

History

#1 Updated by Holger Just over 1 year ago

  • Description updated (diff)

#2 Updated by Takenori TAKAKI 10 months ago

I made a patch to fix & test the issue #35090, and attach it.

#3 Updated by Go MAEDA 10 months ago

  • Related to Feature #22090: Make project settings more accessible added

#4 Updated by Go MAEDA 10 months ago

  • Status changed from New to Confirmed
  • Target version set to 4.1.5

Setting the target version to 4.1.5.

#5 Updated by Go MAEDA 10 months ago

  • Target version changed from 4.1.5 to 4.1.6

#6 Updated by Go MAEDA 7 months ago

  • Subject changed from Permission check mismatches button semantics to Permission check of the setting button on the issues page mismatches button semantics
  • Status changed from Confirmed to Resolved
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you for your contribution.

#7 Updated by Go MAEDA 7 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF