Defect #41465
closed
"Import issues" and "Import time entries" pages are visible to users without "Add issues" and "Log spent time" permissions
0%
Description
User without log_time permission can access /time_entry/imports/new. (this user has import_time_entry permission)
if the user try to import, internal error occured.
ActionView::Template::Error (undefined method `activities' for nil:NilClass
project.activities
^^^^^^^^^^^):
Causes:
NoMethodError (undefined method `activities' for nil:NilClass
project.activities
^^^^^^^^^^^)
7: <p>
8: <label for="import_mapping_activity"><%= l(:field_activity) %></label>
9: <%= mapping_select_tag @import, 'activity', :required => true,
10: :values => @import.allowed_target_activities.sorted.map {|t| [t.name, t.id]} %>
11: </p>
12:
13: <div class="splitcontent">
app/models/time_entry_import.rb:52:in `allowed_target_activities'
app/views/imports/_time_entries_fields_mapping.html.erb:10
app/views/imports/_time_entries_mapping.html.erb:4
app/views/imports/mapping.html.erb:4
app/views/imports/mapping.html.erb:3
lib/redmine/sudo_mode.rb:78:in `sudo_mode'
so, this patch adds checking log_time permission to `TimeEntryImport.authorized?.`
Files
Updated by Kenta Kumojima about 1 year ago
- File import_time_entry.patch import_time_entry.patch added
fix patch
Updated by Go MAEDA about 1 year ago
- Tracker changed from Patch to Defect
- Status changed from New to Confirmed
Thank you for detecting and reporting the issue.
I found IssueImport.authorized? has a similar problem. It should check :add_issues permission.
Updated by Kenta Kumojima about 1 year ago
I found
IssueImport.authorized?has a similar problem. It should check:add_issuespermission.
I added checking add_issues permission when importing issues and updated patch.
Updated by Go MAEDA about 1 year ago
- File import_issue_and_time_entry-v2.patch import_issue_and_time_entry-v2.patch added
- Subject changed from User without log_time permission can access /time_entry/imports/new to "Import issues" and "Import time entries" pages are visible to users without "Add issues" and "Log spent time" permissions
I have updated the patch to apply to the current trunk cleanly.
Updated by Go MAEDA about 1 year ago
- Status changed from Confirmed to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
I have committed the fix in r23178. Thank you for your contribution.
I didn't set this issue's category to "Security" because, although the import pages are visible to users without permissions, the import process will fail.