Private issue in public projects
We realize that in public projects, when you mark an issue as private you can see publicly.
An example here: http://projek.psico.edu.uy/issues/2092
Information about my environment:
mysql Ver 14.14 Distrib 5.1.41 -- Ruby version 1.8.7 (x86_64-linux) RubyGems version 1.3.7 Rack version 1.1.2 Rails version 2.3.14 Database schema version 20110902000000 -- Redmine 1.3.0.stable.8325
(I apologies for my English)
#3 Updated by Lu Pa over 8 years ago
19 private issues: 16 really private / 3 are with error.We call them.. 1, 2 and 3:
- 1: Created / Changed pub to priv / Change from one to another project (both public) - Change assigned to / Closed - changed %
- 2: Open / Closed / Open / Changes assigned to / Again / Changed pub to priv
- 3: Created / Closed - Changes assigned to - changed % - Changed pub to priv
I think there is a problem, changing them pub to priv.
I tried to reproduce it but couldn't.
But these 3 issues still with the problem. One of them you can see at previous update: http://projek.psico.edu.uy/issues/1868
#16 Updated by Jean-Philippe Lang over 8 years ago
Lu Pa wrote:
I made this project: http://demo.redmine.org/projects/test-priv-pub
I created private and the put it public.
But I can't make private issues to reproduce the bug.
The permission was not set on the demo. You should be able to add private issues now.
#17 Updated by Lu Pa over 8 years ago
Ok, I tried to reproduce it but I coulnd't :(
I made 2 projects and 2 issues. Then I tried to move them, but I didn't have permission. So I copied them to the other project and made them public/private and vice versa. But problem doesn't appear.
Any idea to fix the problem on our system ?
#19 Updated by Anonymous almost 8 years ago
- File private-issues-fix.patch added
We were having the same problem, and I tracked it down. Basically, users are allowed to view a private issue if they submitted it, or are assigned to it. Hence anoymous users are allowed to view issues submitted by "themselves", i.e. any anonymous user...
The attached patch fixes this, and also fixes the allowed_to? method of User to return a boolean at all times (and never a role, as it currently sometimes does)... the latter part does not seem to be directly related to this bug, though, but still should be fixed.