Feature #23997
closedPer role visibility settings for version custom fields
0%
Description
For issue custom fields, one can already select which roles should be allowed to view this field.
This patch, developed at Planio and sponsored by SDZeCOM GmbH, introduces the same setting for project and version custom fields.
Files
Related issues
Updated by Jan from Planio www.plan.io about 8 years ago
- Target version set to Candidate for next minor release
Updated by Jens Krämer about 8 years ago
- File 0001-per-role-visibility-settings-for-project-and-version.patch 0001-per-role-visibility-settings-for-project-and-version.patch added
turns out the patch led to invalid SQL for project custom fields, here is an updated version which overrides CustomField#visibility_by_project_condition
in ProjectCustomField
to work with the correct project_key
(that is, projects.id
instead of projects.project_id
).
Updated by Toshi MARUYAMA about 8 years ago
- Related to Feature #5037: Role-based issue custom field visibility added
Updated by Mariusz Zielinski over 7 years ago
Hello,
When we may expect custome fields per role visibility available? (this could be really powerfull feature)
Updated by Go MAEDA over 5 years ago
- Has duplicate Feature #15416: Role-based issue custom field visibility for projects added
Updated by Marius BĂLTEANU over 5 years ago
- Related to Feature #31859: Per role visibility settings for spent time custom fields added
Updated by Marius BĂLTEANU over 5 years ago
- Assignee set to Marius BĂLTEANU
I'll update these patches in order to be applied on top of #31859. Jens Krämer, maybe you'll have time to review my work.
Updated by Marius BĂLTEANU over 5 years ago
- File 0001-Per-role-visibility-settings-for-project-custom-fiel.patch 0001-Per-role-visibility-settings-for-project-custom-fiel.patch added
I've attached the patch that adds per role visibility settings for project.
Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings. This issue can be easily reproduced using the test test_settings_should_not_display_custom_fields_not_visible_for_user
added by me in test/functional/projects_controller_test
.
Also, in order to keep the current behaviour where a custom field can be displayed in project#show
only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of visible: false
). Otherwise, we need to add a new option to visibility in order to allow "admin only".
Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/76036437
Jens Krämer, Go Maeda, what do you think about these changes?
Updated by Go MAEDA over 5 years ago
Marius BALTEANU wrote:
Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings.
The behavior will be fixed by your patch and the new behavior is straightforward.
Also, in order to keep the current behaviour where a custom field can be displayed in
project#show
only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent ofvisible: false
).
I think it is OK.
Updated by Marius BĂLTEANU over 5 years ago
- Related to Feature #31925: Per role visibility settings for project custom fields added
Updated by Marius BĂLTEANU over 5 years ago
- File 0001-Per-role-visibility-for-version-custom-fields.patch 0001-Per-role-visibility-for-version-custom-fields.patch added
- Subject changed from Per role visibility settings for project and version custom fields to Per role visibility settings for version custom fields
Attached the patch for version custom fields. Jens, do you remember why did you override the @safe_attributes=
method in your proposed patch for Version
?
Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/77404580
Updated by Jens Krämer over 5 years ago
Marius Ionescu - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.
Updated by Marius BĂLTEANU over 5 years ago
- Assignee deleted (
Marius BĂLTEANU) - Target version changed from Candidate for next minor release to 4.1.0
Jens Krämer wrote:
Marius Ionescu - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.
Got it, thanks. Next week I’ll add new patches to implement this logic to Spent time, Project and Version.
Until then, we can deliver this one.
Updated by Go MAEDA over 5 years ago
- Status changed from New to Closed
- Assignee set to Go MAEDA
Committed the patch. Thank you for your contribution.
Updated by Marius BĂLTEANU over 5 years ago
- Related to Patch #31954: Reject project/version custom field values not visible to user added
Updated by Jean-Philippe Lang about 5 years ago
- Tracker changed from Patch to Feature