Defect #10148

Private issue in public projects

Added by Lu Pon over 9 years ago. Updated about 9 years ago.

Status:ClosedStart date:2012-02-03
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues permissions
Target version:-
Resolution:Fixed Affected version:1.3.0

Description

We realize that in public projects, when you mark an issue as private you can see publicly.

An example here: http://projek.psico.edu.uy/issues/2092

Information about my environment:

mysql  Ver 14.14 Distrib 5.1.41
--
Ruby version              1.8.7 (x86_64-linux)
RubyGems version          1.3.7
Rack version              1.1.2
Rails version             2.3.14
Database schema version   20110902000000
--
Redmine 1.3.0.stable.8325

thanks !
(I apologies for my English)

Selection_002.png (48.3 KB) Lu Pon, 2012-02-03 20:13

private-issues-fix.patch Magnifier - Fix "private anon issues visible to anon users" bug (1.36 KB) Anonymous, 2012-08-30 22:48

Related issues

Related to Redmine - Feature #7414: Private issues Closed 2011-01-22
Related to Redmine - Defect #11872: Private issue visible to anonymous users after its author... Closed

History

#1 Updated by Jean-Philippe Lang over 9 years ago

  • Resolution set to Cant reproduce

Works for me, I can't access a private issue on a public project.
BTW, the link you provide requires authentication.

#2 Updated by Lu Pon over 9 years ago

Sorry, this issue works well.. but, take a look to this: http://projek.psico.edu.uy/issues/1868

I have 19 private issues.. I'm going to check all of them to try to find a pattern.

#3 Updated by Lu Pon over 9 years ago

19 private issues: 16 really private / 3 are with error.

We call them.. 1, 2 and 3:
  • 1: Created / Changed pub to priv / Change from one to another project (both public) - Change assigned to / Closed - changed %
  • 2: Open / Closed / Open / Changes assigned to / Again / Changed pub to priv
  • 3: Created / Closed - Changes assigned to - changed % - Changed pub to priv

I think there is a problem, changing them pub to priv.

I tried to reproduce it but couldn't.

But these 3 issues still with the problem. One of them you can see at previous update: http://projek.psico.edu.uy/issues/1868

#4 Updated by Jean-Philippe Lang over 9 years ago

Can you check the issue visibility setting for your Anonymous role (in Administration -> Roles -> Anonymous)?

#5 Updated by Lu Pon over 9 years ago

#6 Updated by Lu Pon over 9 years ago

Attached image shows Anonymous permissions.

#7 Updated by Jean-Philippe Lang over 9 years ago

It looks fine. Any plugins or custom changes to the code?

#8 Updated by Lu Pon over 9 years ago

No plugins, nor custom changes...

#9 Updated by Etienne Massip over 9 years ago

Did you change your project from private to public or vice versa?

#10 Updated by Lu Pon over 9 years ago

Those projects were created some months ago, and it's possible they were private at the beginning. I really don't remember.

But the 3 issues are from 3 different projects and 2 of those issues are very recently.

#11 Updated by Etienne Massip over 9 years ago

  • Priority changed from Urgent to Normal

I can't reproduce...were these issues created before you upgraded Redmine to 1.3 or even 1.2?

#12 Updated by Lu Pon over 9 years ago

Redmine was upgraded on 2011-12-23 to 1.3.0.stable.8325.

Date of Issues:
  • 1: 2011-09-01
  • 2: 2011-12-14
  • 3: 2011-12-24

Maybe I could make a dump of the database or something similar.

#13 Updated by Jean-Philippe Lang over 9 years ago

You can send me a database dump, I'll try to find out what is going wrong.

#14 Updated by Lu Pon over 9 years ago

I made this project: http://demo.redmine.org/projects/test-priv-pub

I created private and the put it public.

But I can't make private issues to reproduce the bug.

#15 Updated by Lu Pon over 9 years ago

I try, making issues again public and then private, but problem persist.

#16 Updated by Jean-Philippe Lang over 9 years ago

Lu Pa wrote:

I made this project: http://demo.redmine.org/projects/test-priv-pub

I created private and the put it public.

But I can't make private issues to reproduce the bug.

The permission was not set on the demo. You should be able to add private issues now.

#17 Updated by Lu Pon over 9 years ago

Ok, I tried to reproduce it but I coulnd't :(

I made 2 projects and 2 issues. Then I tried to move them, but I didn't have permission. So I copied them to the other project and made them public/private and vice versa. But problem doesn't appear.

Any idea to fix the problem on our system ?

#18 Updated by Lu Pon over 9 years ago

I just created a new private issue in a public project, and again: http://projek.psico.edu.uy/issues/2306

Could anybody tell me how to fix this??

#19 Updated by Anonymous about 9 years ago

We were having the same problem, and I tracked it down. Basically, users are allowed to view a private issue if they submitted it, or are assigned to it. Hence anoymous users are allowed to view issues submitted by "themselves", i.e. any anonymous user...

The attached patch fixes this, and also fixes the allowed_to? method of User to return a boolean at all times (and never a role, as it currently sometimes does)... the latter part does not seem to be directly related to this bug, though, but still should be fixed.

#20 Updated by Etienne Massip about 9 years ago

  • Status changed from New to Closed
  • Resolution changed from Cant reproduce to Fixed

Fixed with #11872 for 2.1.2.

Also available in: Atom PDF