Roles and Permission for Root Project Creation

Added by Marek Stepan 5 months ago

Hello , we have found out that every registered user on our redmine regardless of Group or Roles And Permissions can create a Root Project .
We do not want this functionality and i cannot see how to disable it. I have read trought various discussion posts and stack overflow postings but it seems to me this is somehow a bug in our redmine enviroment.

In the Main view -> Projects Tab , the projects are all listed and a new project button is on the right side , we have redmine version:
Environment:
Redmine version 4.0.2.stable
Ruby version 2.4.5-p335 (2018-10-18) [x86_64-linux]
Rails version 5.2.2
Environment production
Database adapter Mysql2

And our Database is imported trought PHPmyadmin user interface from a Redmine 2.5(?maybe i think ?) and manually edited out some tabls to avoid import errors because of compatibility issues with new database schema of redmine 4.0.2

Any help appreciated on how to disable this behaviour .

Regards Marek Stepan

Replies (7)

RE: Roles and Permission for Root Project Creation - Added by Bernhard Rohloff 5 months ago

Hi Marek,

I think this is actually caused by the fact that users don't have any role outside the project scope. As there's no permission system in place and there's no setting to prevent non-admin users from creating a project everybody can do it. But I also think having a setting for this behavior would be a great feature. To solve your problem you can modify the helper method render_project_action_links which creates the "create project" link on this view in $REDMINE_ROOT/app/helpers/projects_helper.rb

Just comment out the following lines...

def render_project_action_links                                                                                                                                                            
  links = (+"").html_safe                                                                                                                                                                  
#  if User.current.allowed_to?(:add_project, nil, :global => true)                                                                                                                          
#    links << link_to(l(:label_project_new), new_project_path, :class => 'icon icon-add')                                                                                                   
#  end                                                                                                                                                                                      
  if User.current.admin?                                                                                                                                                                   
    links << link_to(l(:label_administration), admin_projects_path, :class => 'icon icon-settings')                                                                                        
  end                                                                                                                                                                                      
  links                                                                                                                                                                                    
end   

After restarting Redmine, root projects can only be created in the administration panel.

Kind regards,

Bernhard

RE: Roles and Permission for Root Project Creation - Added by Mischa The Evil 5 months ago

FWIW: the ability for non-admin users to create new (root) projects is governed by the "Create (sub)project(s)" permission. As such it is likely that some (system) roles are granted the respective permission.

Bernhard Rohloff wrote:

I think this is actually caused by the fact that users don't have any role outside the project scope. As there's no permission system in place and there's no setting to prevent non-admin users from creating a project everybody can do it.

Bernhard, this is, AFAIK, something that is supposed to be covered by the "Non member" and "Anonymous" system roles.

Bernhard Rohloff wrote:

To solve your problem you can modify the helper method render_project_action_links which creates the "create project" link on this view in $REDMINE_ROOT/app/helpers/projects_helper.rb

This would only remove the UI-element. Manually crafted requests would nevertheless still be handled.

RE: Roles and Permission for Root Project Creation - Added by Bernhard Rohloff 5 months ago

I've dived into the code, and found this description of the allowed_to? method.

   1   # Return true if the user is allowed to do the specified action on a specific context                                                                                                     
   2   # Action can be:                                                                                                                                                                          
   3   # * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')                                                                                                              
   4   # * a permission Symbol (eg. :edit_project)                                                                                                                                               
   5   # Context can be:                                                                                                                                                                         
   6   # * a project : returns true if user is allowed to do the specified action on this project                                                                                                
   7   # * an array of projects : returns true if user is allowed on every project                                                                                                               
   8   # * nil with options[:global] set : check if user has at least one role allowed for this action,                                                                                          
   9   #   or falls back to Non Member / Anonymous permissions depending if the user is logged       

So what I can extract of it is, that if a user has the 'create project' permission in at least one project, he is allowed to create global projects. That behavior is quite awkward and IMHO worth a future discussion.
As Mischa pointed out correctly, my solution doesn't prevent anybody from creating a root project by using hand crafted requests or the REST API, but I think hiding the button is sufficient enough for the 'normal' user.

RE: Roles and Permission for Root Project Creation - Added by Mischa The Evil 5 months ago

Bernhard Rohloff wrote:

So what I can extract of it is, that if a user has the 'create project' permission in at least one project, he is allowed to create global projects.

Yes, that's correct. And it's not even behavior tied specifically to the 'create project' permission also. It is much broader than that. It applies to anything outside the context of 1) a single project, or 2) a given array of projects (i.e. anything that relies on the return value of a call to User#allowed_to? without a given context and the :global option set [search the code-base for the strings ":global => true" and "authorize_global" to find all these cases]).

Bernhard Rohloff wrote:

That behavior is quite awkward and IMHO worth a future discussion.

I think it can be seen as an imprint of how the initial, project-based RBAC and permissions implementation developed over the years and evolved into the current implementation.
I agree that it is worth (future) discussion (I'd say: 'feel yourself free to do so'), but I think that, given the current design and the complexity of the matter, combined with the effort required, the probability that something concrete comes out of that (let alone that such is actually worked out and being implemented) is not very high.

As Mischa pointed out correctly, my solution doesn't prevent anybody from creating a root project by using hand crafted requests or the REST API, but I think hiding the button is sufficient enough for the 'normal' user.

The correct solution in the case of the OP is, I think, to revoke the permission from all the roles (custom and system). This way only admin users will be able to create new (root) projects.

RE: Roles and Permission for Root Project Creation - Added by Marek Stepan 5 months ago

Hello Everybody ,

first off all Thank you very much all for the Informative and Helpfull Feedback .
So as it turns out this is not a bug in our redmine distribution but part of redmine version in generall .

That behavior is quite awkward and IMHO worth a future discussion.

Yes i totally agree that this is a quite unexpected behaviour.

The correct solution in the case of the OP is, I think, to revoke the permission from all the roles (custom and system). This way only admin users will be able to create new (root) projects.

What do you mean with that ? Only one group (The "manager" Group ) has rights to create Projects , and only like 2-3 People are in the Manager Group , no other group has project creation rights . Do i need to delete the Group ? or just retract the project creation permission of that group ? i do not understand how this will affect people who are not in that group which are the focus of my question

RE: Roles and Permission for Root Project Creation - Added by Marek Stepan 5 months ago

Mischa The Evil wrote:

Bernhard Rohloff wrote:

So what I can extract of it is, that if a user has the 'create project' permission in at least one project, he is allowed to create global projects.

Yes, that's correct. And it's not even behavior tied specifically to the 'create project' permission also. It is much broader than that. It applies to anything outside the context of 1) a single project, or 2) a given array of projects (i.e. anything that relies on the return value of a call to User#allowed_to? without a given context and the :global option set [search the code-base for the strings ":global => true" and "authorize_global" to find all these cases]).

Bernhard Rohloff wrote:

That behavior is quite awkward and IMHO worth a future discussion.

I think it can be seen as an imprint of how the initial, project-based RBAC and permissions implementation developed over the years and evolved into the current implementation.
I agree that it is worth (future) discussion (I'd say: 'feel yourself free to do so'), but I think that, given the current design and the complexity of the matter, combined with the effort required, the probability that something concrete comes out of that (let alone that such is actually worked out and being implemented) is not very high.

As Mischa pointed out correctly, my solution doesn't prevent anybody from creating a root project by using hand crafted requests or the REST API, but I think hiding the button is sufficient enough for the 'normal' user.

The correct solution in the case of the OP is, I think, to revoke the permission from all the roles (custom and system). This way only admin users will be able to create new (root) projects.

I Removed "create project" permission from the manager group which my user /non admin/ is not part of and , my user lost the ability to create root projects ! That is indeed very weird behaviour and absolutely counter intuitive. I also think this is somehow a security issue as any user with no permissions at all can create root projects at will , if any group even if he is not part of the group has create project permissions !

RE: Roles and Permission for Root Project Creation - Added by Bernhard Rohloff 5 months ago

Marek Stepan wrote:

I Removed "create project" permission from the manager group which my user /non admin/ is not part of and , my user lost the ability to create root projects ! That is indeed very weird behaviour and absolutely counter intuitive. I also think this is somehow a security issue as any user with no permissions at all can create root projects at will , if any group even if he is not part of the group has create project permissions !

That's not really the expected behavior. Your user must not have any role in any project which has the 'create project' permission. It's not important if anybody else was given a role with that permission. I've tried this out on v3.4, v4.1 and on the latest trunk. So in you particular case your user has to have a manager role in at least a single project. Perhaps it's an archived one.

(1-7/7)