Project

General

Profile

Actions

Defect #10148

closed

Private issue in public projects

Added by Lu Pon almost 13 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Issues permissions
Target version:
-
Start date:
2012-02-03
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

We realize that in public projects, when you mark an issue as private you can see publicly.

An example here: http://projek.psico.edu.uy/issues/2092

Information about my environment:

mysql  Ver 14.14 Distrib 5.1.41
--
Ruby version              1.8.7 (x86_64-linux)
RubyGems version          1.3.7
Rack version              1.1.2
Rails version             2.3.14
Database schema version   20110902000000
--
Redmine 1.3.0.stable.8325

thanks !
(I apologies for my English)


Files

Selection_002.png (48.3 KB) Selection_002.png Lu Pon, 2012-02-03 20:13
private-issues-fix.patch (1.36 KB) private-issues-fix.patch Fix "private anon issues visible to anon users" bug Anonymous, 2012-08-30 22:48

Related issues

Related to Redmine - Feature #7414: Private issuesClosed2011-01-22

Actions
Related to Redmine - Defect #11872: Private issue visible to anonymous users after its author is deletedClosedJean-Philippe Lang

Actions
Actions #1

Updated by Jean-Philippe Lang almost 13 years ago

  • Resolution set to Cant reproduce

Works for me, I can't access a private issue on a public project.
BTW, the link you provide requires authentication.

Actions #2

Updated by Lu Pon almost 13 years ago

Sorry, this issue works well.. but, take a look to this: http://projek.psico.edu.uy/issues/1868

I have 19 private issues.. I'm going to check all of them to try to find a pattern.

Actions #3

Updated by Lu Pon almost 13 years ago

19 private issues: 16 really private / 3 are with error.

We call them.. 1, 2 and 3:
  • 1: Created / Changed pub to priv / Change from one to another project (both public) - Change assigned to / Closed - changed %
  • 2: Open / Closed / Open / Changes assigned to / Again / Changed pub to priv
  • 3: Created / Closed - Changes assigned to - changed % - Changed pub to priv

I think there is a problem, changing them pub to priv.

I tried to reproduce it but couldn't.

But these 3 issues still with the problem. One of them you can see at previous update: http://projek.psico.edu.uy/issues/1868

Actions #4

Updated by Jean-Philippe Lang almost 13 years ago

Can you check the issue visibility setting for your Anonymous role (in Administration -> Roles -> Anonymous)?

Actions #6

Updated by Lu Pon almost 13 years ago

Attached image shows Anonymous permissions.

Actions #7

Updated by Jean-Philippe Lang almost 13 years ago

It looks fine. Any plugins or custom changes to the code?

Actions #8

Updated by Lu Pon almost 13 years ago

No plugins, nor custom changes...

Actions #9

Updated by Etienne Massip almost 13 years ago

Did you change your project from private to public or vice versa?

Actions #10

Updated by Lu Pon almost 13 years ago

Those projects were created some months ago, and it's possible they were private at the beginning. I really don't remember.

But the 3 issues are from 3 different projects and 2 of those issues are very recently.

Actions #11

Updated by Etienne Massip almost 13 years ago

  • Priority changed from Urgent to Normal

I can't reproduce...were these issues created before you upgraded Redmine to 1.3 or even 1.2?

Actions #12

Updated by Lu Pon almost 13 years ago

Redmine was upgraded on 2011-12-23 to 1.3.0.stable.8325.

Date of Issues:
  • 1: 2011-09-01
  • 2: 2011-12-14
  • 3: 2011-12-24

Maybe I could make a dump of the database or something similar.

Actions #13

Updated by Jean-Philippe Lang almost 13 years ago

You can send me a database dump, I'll try to find out what is going wrong.

Actions #14

Updated by Lu Pon almost 13 years ago

I made this project: http://demo.redmine.org/projects/test-priv-pub

I created private and the put it public.

But I can't make private issues to reproduce the bug.

Actions #15

Updated by Lu Pon almost 13 years ago

I try, making issues again public and then private, but problem persist.

Actions #16

Updated by Jean-Philippe Lang almost 13 years ago

Lu Pa wrote:

I made this project: http://demo.redmine.org/projects/test-priv-pub

I created private and the put it public.

But I can't make private issues to reproduce the bug.

The permission was not set on the demo. You should be able to add private issues now.

Actions #17

Updated by Lu Pon almost 13 years ago

Ok, I tried to reproduce it but I coulnd't :(

I made 2 projects and 2 issues. Then I tried to move them, but I didn't have permission. So I copied them to the other project and made them public/private and vice versa. But problem doesn't appear.

Any idea to fix the problem on our system ?

Actions #18

Updated by Lu Pon almost 13 years ago

I just created a new private issue in a public project, and again: http://projek.psico.edu.uy/issues/2306

Could anybody tell me how to fix this??

Actions #19

Updated by Anonymous over 12 years ago

We were having the same problem, and I tracked it down. Basically, users are allowed to view a private issue if they submitted it, or are assigned to it. Hence anoymous users are allowed to view issues submitted by "themselves", i.e. any anonymous user...

The attached patch fixes this, and also fixes the allowed_to? method of User to return a boolean at all times (and never a role, as it currently sometimes does)... the latter part does not seem to be directly related to this bug, though, but still should be fixed.

Actions #20

Updated by Etienne Massip about 12 years ago

  • Status changed from New to Closed
  • Resolution changed from Cant reproduce to Fixed

Fixed with #11872 for 2.1.2.

Actions

Also available in: Atom PDF