Defect #12287

Time entries of private issues are visible by users without permission to see them

Added by Ricardo S over 10 years ago. Updated 4 months ago.

Status:Needs feedbackStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Time tracking
Target version:Candidate for next minor release
Resolution: Affected version:

Description

By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.

Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)


Related issues

Duplicated by Redmine - Defect #37729: Time entries listed/visible even for issues not accessibl... Closed

History

#1 Updated by Daniel Felix over 10 years ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to High

Hi,

i can confirm this with current trunk (10781)!

#2 Updated by Ricardo S over 10 years ago

This can be fixed with the following modifications on the TimeEntry model:

  # Create this method
  def self.visible_condition(user, options={})
     "(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})" 
  end

  # Update the :visible scope
  scope :visible, lambda {|*args| {
    :include => [:project, :issue],
    :conditions => TimeEntry.visible_condition(args.shift || User.current, *args)
  }}

With these changes, time entries on private issues will no longer be visible neither on search results page nor on the /projects/:id/time_entries page.

#3 Updated by Etienne Massip about 10 years ago

  • Target version set to Candidate for next minor release

#4 Updated by Toshi MARUYAMA almost 10 years ago

What status is this issue?

#5 Updated by Marius BALTEANU almost 6 years ago

Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.

Is this a defect or it's the expected behaviour?

#6 Updated by Mischa The Evil 4 months ago

  • Duplicated by Defect #37729: Time entries listed/visible even for issues not accessible by user added

#7 Updated by Mischa The Evil 4 months ago

  • Status changed from Confirmed to Needs feedback

Marius BALTEANU wrote:

[...]

Is this a defect or it's the expected behaviour?

I don't think it is a defect. Time entry visibility is (and has always been) independent of issue visibility. Time entries and issues aren't coupled in any way regarding object visibility. AFAIK was such coupling never intended to be part of the scope of issue #7412, #7414 nor #8929.
Instead, time entry visibility depends entirely on the :view_time_entries permission together with the "time logs visibility" role setting that determines if the role can view all or own time entries only.

Given the above I'd say we can close this issue as 'wont fix'. However, given the observed expectations and the potential implications, it might be a good idea to open a new feature request for an option to also take issue visibility and/or even issue permissions into account when considering time entry visibility.

What do you think?

Also available in: Atom PDF