Project

General

Profile

Actions
Copy link

Defect #35090

closed

Permission check of the setting button on the issues page mismatches button semantics

Added by Felix Schäfer about 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Go MAEDA
Category:
UI
Target version:
4.1.6
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
4.2.0

Description

In source:/tags/4.2.0/app/views/issues/index.html.erb#L16 the link goes to the issues tab of the project settings. The button is only shown if the user has the manage_categories permission but the permission required for this tab is edit_project source:/tags/4.2.0/app/helpers/projects_helper.rb#L28

Note that this is only a UI issue, the button might be shown to users that cannot see the tab that it links to or the button might not be shown to users that would be able to see the tab that it links too, but upon following the link the correct permission is checked. There also is no information disclosure associated with this issue.

Files

fix-35090.patch (1.76 KB) fix-35090.patch Takenori TAKAKI, 2021-10-07 06:46

Related issues

Related to Redmine - Feature #22090: Make project settings more accessibleClosedJean-Philippe Lang

Actions
Actions
Copy link

Also available in: Atom PDF