Defect #10148
closed
Private issue in public projects
Added by Lu Pon about 12 years ago. Updated over 11 years ago.
0%
Description
We realize that in public projects, when you mark an issue as private you can see publicly.
An example here: http://projek.psico.edu.uy/issues/2092
Information about my environment:
mysql Ver 14.14 Distrib 5.1.41 -- Ruby version 1.8.7 (x86_64-linux) RubyGems version 1.3.7 Rack version 1.1.2 Rails version 2.3.14 Database schema version 20110902000000 -- Redmine 1.3.0.stable.8325
thanks !
(I apologies for my English)
Files
| Selection_002.png (48.3 KB) Selection_002.png | Lu Pon, 2012-02-03 20:13 | ||
| private-issues-fix.patch (1.36 KB) private-issues-fix.patch | Fix "private anon issues visible to anon users" bug | Anonymous, 2012-08-30 22:48 |
Related issues
Updated by Jean-Philippe Lang about 12 years ago
- Resolution set to Cant reproduce
Works for me, I can't access a private issue on a public project.
BTW, the link you provide requires authentication.
Updated by Lu Pon about 12 years ago
Sorry, this issue works well.. but, take a look to this: http://projek.psico.edu.uy/issues/1868
I have 19 private issues.. I'm going to check all of them to try to find a pattern.
Updated by Lu Pon about 12 years ago
19 private issues: 16 really private / 3 are with error.
We call them.. 1, 2 and 3:- 1: Created / Changed pub to priv / Change from one to another project (both public) - Change assigned to / Closed - changed %
- 2: Open / Closed / Open / Changes assigned to / Again / Changed pub to priv
- 3: Created / Closed - Changes assigned to - changed % - Changed pub to priv
I think there is a problem, changing them pub to priv.
I tried to reproduce it but couldn't.
But these 3 issues still with the problem. One of them you can see at previous update: http://projek.psico.edu.uy/issues/1868
Updated by Jean-Philippe Lang about 12 years ago
Can you check the issue visibility setting for your Anonymous role (in Administration -> Roles -> Anonymous)?
Updated by Lu Pon about 12 years ago
Attached image shows Anonymous permissions.
Updated by Jean-Philippe Lang about 12 years ago
It looks fine. Any plugins or custom changes to the code?
Updated by Etienne Massip about 12 years ago
Did you change your project from private to public or vice versa?
Updated by Lu Pon about 12 years ago
Those projects were created some months ago, and it's possible they were private at the beginning. I really don't remember.
But the 3 issues are from 3 different projects and 2 of those issues are very recently.
Updated by Etienne Massip about 12 years ago
- Priority changed from Urgent to Normal
I can't reproduce...were these issues created before you upgraded Redmine to 1.3 or even 1.2?
Updated by Lu Pon about 12 years ago
Redmine was upgraded on 2011-12-23 to 1.3.0.stable.8325.
Date of Issues:- 1: 2011-09-01
- 2: 2011-12-14
- 3: 2011-12-24
Maybe I could make a dump of the database or something similar.
Updated by Jean-Philippe Lang about 12 years ago
You can send me a database dump, I'll try to find out what is going wrong.
Updated by Lu Pon about 12 years ago
I made this project: http://demo.redmine.org/projects/test-priv-pub
I created private and the put it public.
But I can't make private issues to reproduce the bug.
Updated by Lu Pon about 12 years ago
I try, making issues again public and then private, but problem persist.
Updated by Jean-Philippe Lang about 12 years ago
Lu Pa wrote:
I made this project: http://demo.redmine.org/projects/test-priv-pub
I created private and the put it public.
But I can't make private issues to reproduce the bug.
The permission was not set on the demo. You should be able to add private issues now.
Updated by Lu Pon about 12 years ago
Ok, I tried to reproduce it but I coulnd't :(
I made 2 projects and 2 issues. Then I tried to move them, but I didn't have permission. So I copied them to the other project and made them public/private and vice versa. But problem doesn't appear.
Any idea to fix the problem on our system ?
Updated by Lu Pon about 12 years ago
I just created a new private issue in a public project, and again: http://projek.psico.edu.uy/issues/2306
Could anybody tell me how to fix this??
Updated by Anonymous over 11 years ago
- File private-issues-fix.patch private-issues-fix.patch added
We were having the same problem, and I tracked it down. Basically, users are allowed to view a private issue if they submitted it, or are assigned to it. Hence anoymous users are allowed to view issues submitted by "themselves", i.e. any anonymous user...
The attached patch fixes this, and also fixes the allowed_to? method of User to return a boolean at all times (and never a role, as it currently sometimes does)... the latter part does not seem to be directly related to this bug, though, but still should be fixed.
Updated by Etienne Massip over 11 years ago
- Status changed from New to Closed
- Resolution changed from Cant reproduce to Fixed