Project

General

Profile

Actions
Copy link

Defect #11872

closed

Private issue visible to anonymous users after its author is deleted

Added by Anonymous about 12 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jean-Philippe Lang
Category:
Issues
Target version:
2.1.1
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
2.1.0

Description

The attached patch fixes defect #10148.

Specifically, suppose an anonymous (= not logged in) user submits an issue. Or alternatively, a user submits an issue, but later that user's account is deleted (in that case the issue is marked as submitted by anonymous).

Suppose further that the issue is marked as private. Then logged in users w/o the require permissions are not able to view the issue, as it is private.

But non-logged in users are able to view it. That is so because the code logic always allows the user who submitted a report to view it... Which in this particular case does not really make sense. The first part of the attached patch addresses this.

The second part fixes a minor bug in the allowed_to? method, which used to use "detect" instead of "any?", causing it to sometimes return a role object instead of a boolean.

Files

Download all files
private-issues-fix.patch (1.36 KB) private-issues-fix.patch Anonymous, 2012-09-19 02:34
0001-Replace-incorrect-.detect-call-by-.any.patch (1.12 KB) 0001-Replace-incorrect-.detect-call-by-.any.patch Replace detect by any? calls Anonymous, 2012-09-19 15:03
0002-Fix-bug-with-private-issues-submitted-by-or-assigned.patch (2.08 KB) 0002-Fix-bug-with-private-issues-submitted-by-or-assigned.patch Fix bug with private issues submitted by or assigned to Anonymous, 2012-09-19 15:03

Related issues

Related to Redmine - Defect #10148: Private issue in public projectsClosed2012-02-03

Actions
Actions
Copy link

Also available in: Atom PDF