Project

General

Profile

Plugins Directory » Redmine View Issue Description

 Author: Jan Catrysse
Website: https://github.com/redminetrustteam/redmine_view_issue_description
Code repository: https://github.com/redminetrustteam/redmine_view_issue_description
Registered on: 2021-08-02 (over 4 years ago)
Current version: 0.2.0
Compatible with: Redmine 6.1.x, 6.0.x, 5.1.x, 5.0.x
User ratings:   (0)

This plugin adds the possibility to limit the visibility of issue descriptions, based on role permissions and selected trackers.
The main goal is to limit the visibility for external users (e.g., customers), without hiding an essential issue overview and issue related information.

Without the view_issue_description permission, a user cannot open an issue or view its description.
With the additional view_watched_issues permission, you can extend visibility to users or groups that are watchers on specific issues.

Some extra features have been added to improve the general usability.

Features

  1. Project module issue_tracking has extended permissions:
  • view_issue_description: required to open an issue and view its description, journals, and attachments.
  • view_watched_issues: watcher-based visibility — watched issues are visible and accessible even without view_issue_description.
  • view_activities: controls access to the project activity tab.
  1. Global permission:
  • view_activities_global: controls access to the application-wide activity overview.
  1. API calls on issues have been extended with:
  • repository information when using include=changesets_new
  • helpdesk_ticket information if the RedmineUP helpdesk plugin is installed.
  • Set include=journal_messages,journals for helpdesk journal data.

The tracker-level checkboxes for view_issue_description and view_watched_issues are injected into the role form via a Deface override so upgrades to Redmine core do not require copying the entire partial.

Note on assignee access: users assigned to an issue always have access to the issue detail page, regardless of their role's view_issue_description setting. This is intentional — assignees must be able to see the issue they are working on.

Upgrade note: after installing the plugin, existing roles will no longer have access to the project activity tab until view_activities is explicitly granted. Assign this permission to all roles that previously had unrestricted activity access.

Installation notes

  1. Move the files into $REDMINE/plugins/redmine_view_issue_description
  1. Install plugin dependencies from the plugin directory (Deface is required to extend the role form without copying the core partial):
bundle install
  1. Restart REDMINE.
Atom

Changelog

0.2.0 (2026-03-16)

Compatible with Redmine 6.1.x, 6.0.x, 5.1.x, 5.0.x.

Complete refactoring of the plugin.

0.1.6 (2026-03-15)

Compatible with Redmine 6.1.x, 6.0.x, 5.1.x, 5.0.x.

  • Security: `view_issue_relations` no longer grants general issue visibility; the permission is now limited to controlling the relations block on the detail page only.
  • Security: Fixed cross-role authorization escalation in `description_access_granted?` — tracker access and issue-visibility constraints are now evaluated per role, not independently across all roles combined.
  • Security: Watcher autocomplete now always scopes to the current project, even when a search query is present (previously leaked principals from other projects).
  • Fix: Resolved double-render error in the custom API endpoint; variables are now set up before rendering instead of re-rendering after `show`.
  • Fix: Group watchers are now included in the `visible_condition` SQL, making watched issues appear consistently in lists (previously only worked on the detail page).
  • Fix: Nil user and nil `assigned_to` no longer cause a `NoMethodError` in `visible?`.
  • Fix: `view_watched_issues` permission is now used (instead of `view_issue_description`) to gate self-watching, making watcher-based visibility coherent.
  • Fix: Query description-column visibility now respects tracker-specific permissions, consistent with the issue detail page.
  • Fix: Activities authorization simplified — removed duplicate `authorize` calls and circular logic.
  • Added `view_issue_relations` to the role form tracker-permission UI.
  • Added `permission_view_issue_relations` translation to all supported locales (de, en, es, fr, nl, ro).
  • Added `include_changesets_new?` support for array and comma-separated `include` params.

0.1.5 (2026-03-15)

Compatible with Redmine 6.1.x, 6.0.x, 5.1.x, 5.0.x.

WARNING: Some security issues are still to be resolved.

0.1.5

  • Added `view_issue_relations` permission that makes all issue relations visible across projects for users who hold this permission in any project.
  • Fixed issue relations and subtasks not appearing when the related issue belonged to a project where the current user only had `view_issue` (without `view_issue_description`).
  • Security fix: blocked privilege escalation via self-watching.

0.1.4

  • Fixed mixed-role authorization leak where `view_issue_description` could be combined across roles to expose descriptions outside the role's `issues_visibility` scope.
  • Restored watcher-based visibility exception so `view_watched_issues` can make watched issues visible independent of base issues visibility constraints.
  • Added regression and edge-case specs for mixed-role, watcher exception, own-only, and private/default visibility behavior.

0.1.3 (2025-12-16)

Compatible with Redmine 6.1.x, 6.0.x, 5.1.x, 5.0.x, 4.2.x, 4.1.x, 4.0.x.

Added view_watched_issues permission to allow watcher-based access when granted on a role.

When this permission is enabled for a user, you can add them to an issue's watchers list. Being a watcher grants the user access to that specific issue and allows them to receive email updates regarding changes.
This provides a method for granting fine-grained access to issues that are otherwise invisible to users. (Example case: The default permission for customers typically restricts access to issues they created or are currently assigned to).

0.1.2 (2023-08-07)

Compatible with Redmine 5.1.x, 5.0.x, 4.2.x, 4.1.x, 4.0.x.

  • Removed filter on root_issue, has been moved to the `redmine_parent_child_filters` plugin
  • Removed not equal to operator on start_date and end_date, has been moved to the redmine_parent_child_filters plugin
  • Correction for more consistent access based on user permissions.
  • Resolved potential issue: SystemStackError (stack level too deep)
    Converted models to use alias_method
  • Update locales

0.1.1 (2023-07-12)

Compatible with Redmine 5.1.x, 5.0.x, 4.2.x, 4.1.x, 4.0.x.

  • An exception is made on issues where the user is the assigned user.
  • The exception on issues where the user is the author has been removed, as often the tickets will automatically be made by the customer, by sending an email.
    In that situation, it doesn't make sense to give permission to view_issue_description by default.

0.1.0 (2023-07-11)

Compatible with Redmine 5.1.x, 5.0.x, 4.2.x, 4.1.x, 4.0.x.

  • Complete rewrite.
  • Compatible with Redmine 4.x and 5.x
  • No more code hacking required for the API calls.

0.0.3 (2022-09-08)

Compatible with Redmine 4.2.x, 4.1.x.

  • Changed GIT location.

0.0.2 (2021-09-20)

Compatible with Redmine 4.2.x, 4.1.x.

  • It activates an API call on issues to show the changesets repository information.

0.0.1 (2021-08-01)

Compatible with Redmine 4.2.x, 4.1.x.