Defect #36772

Private notes are visible for users when the option isn't activated

Added by eric c 4 months ago. Updated 2 months ago.

Status:Needs feedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Permissions and roles
Target version:-
Resolution: Affected version:4.2.1

Description

Hi,

We have created users where the options "view private notes" (view_private_notes) is unchecked on the roles page.
When the user logs in he can see the private notes...

Can't find an issue regarding this problem, so I've created this one :)

This are the issue tracking settings:

The role setting regarding issues is:
role[issues_visibility] : default (all non private issues)

This is the used configuration:

Environment:
  Redmine version                4.2.1.stable
  Ruby version                   2.7.4-p191 (2021-07-07) [x86_64-linux]
  Rails version                  5.2.5
  Environment                    production
  Database adapter               Mysql2
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                smtp
SCM:
  Subversion                     1.10.4
  Mercurial                      4.8.2
  Bazaar                         2.8.0
  Git                            2.20.1
  Filesystem                     
Redmine plugins:
  issue_recurring                1.6

I hope this is all the info that is needed to solve to problem.
In case there are questions, let me know :)

Thanks so far!

settings.png (27.6 KB) eric c, 2022-03-16 14:23

History

#1 Updated by Holger Just 3 months ago

  • Status changed from New to Needs feedback

Users can have multiple roles in a project. If any of those roles allows the user to see private notes, they can see them in the project.

In addition to that, a user is always able to see their own notes, even if the note is private and they are not allowed to see private notes in general.

Please verify this. If you still find this to be an issue, please describe your setup with more details which would allow us to recreate what you see based on an empty/new Redmine installation.

#2 Updated by eric c 2 months ago

Took me some time to give a reaction...

The affected user has access to multiple projects, access is set using the a specific group.
Projects that are connected all have the same rol (external user).

The "external user" role isn't allowed to view, add or edit private notes. It is the same with the issue, the user can't change it into private.

Also available in: Atom PDF