Private notes are visible for users when the option isn't activated
|Status:||Needs feedback||Start date:|
|Category:||Permissions and roles|
We have created users where the options "view private notes" (view_private_notes) is unchecked on the roles page.
When the user logs in he can see the private notes...
Can't find an issue regarding this problem, so I've created this one :)
This are the issue tracking settings:
The role setting regarding issues is:
role[issues_visibility] : default (all non private issues)
This is the used configuration:
Environment: Redmine version 4.2.1.stable Ruby version 2.7.4-p191 (2021-07-07) [x86_64-linux] Rails version 5.2.5 Environment production Database adapter Mysql2 Mailer queue ActiveJob::QueueAdapters::AsyncAdapter Mailer delivery smtp SCM: Subversion 1.10.4 Mercurial 4.8.2 Bazaar 2.8.0 Git 2.20.1 Filesystem Redmine plugins: issue_recurring 1.6
I hope this is all the info that is needed to solve to problem.
In case there are questions, let me know :)
Thanks so far!
#1 Updated by Holger Just 3 months ago
- Status changed from New to Needs feedback
Users can have multiple roles in a project. If any of those roles allows the user to see private notes, they can see them in the project.
In addition to that, a user is always able to see their own notes, even if the note is private and they are not allowed to see private notes in general.
Please verify this. If you still find this to be an issue, please describe your setup with more details which would allow us to recreate what you see based on an empty/new Redmine installation.
Took me some time to give a reaction...
The affected user has access to multiple projects, access is set using the a specific group.
Projects that are connected all have the same rol (external user).
The "external user" role isn't allowed to view, add or edit private notes. It is the same with the issue, the user can't change it into private.