Defect #13360

Permissions of Multiple Roles

Added by Adnan Topçu over 9 years ago. Updated 12 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Permissions and roles
Target version:-
Resolution:Wont fix Affected version:2.2.3

Description

There are two roles:
  1. RolA: issue visibiliti setting is "Issues created by or assigned to the user" and it has issue edit permissions.
  2. RolB: issue visibiliti setting is "All non private issues" and it has issue view permissions, do not edit!

If an user has both of RolA and RolB roles result is:
The user can edit all non private issues.

In my opinion, this is not usual.

Recent Discuss: http://www.redmine.org/boards/1/topics/36188?r=36236#message-36236


Related issues

Related to Redmine - Feature #13422: "Edit assigned user" permission for issues Closed

History

#1 Updated by Adnan Topçu over 9 years ago

There is a need to issue editing only by assigned user. This is possible fixing this issue or adding new permission like as "edit assigned issue" etc.
Please write your opinions.
Regards

#2 Updated by Go MAEDA about 2 years ago

Adnan Topçu wrote:

There are two roles:
  1. RolA: issue visibiliti setting is "Issues created by or assigned to the user" and it has issue edit permissions.
  2. RolB: issue visibiliti setting is "All non private issues" and it has issue view permissions, do not edit!

If an user has both of RolA and RolB roles result is:
The user can edit all non private issues.

I think it is expected behavior. The RedmineRoles page says that "If a member has multiple roles in a project, the permissions applied to the member is the combination of all roles' permissions".

#3 Updated by Matthias Lehmann over 1 year ago

Go MAEDA wrote:

Adnan Topçu wrote:

There are two roles:
  1. RolA: issue visibiliti setting is "Issues created by or assigned to the user" and it has issue edit permissions.
  2. RolB: issue visibiliti setting is "All non private issues" and it has issue view permissions, do not edit!

If an user has both of RolA and RolB roles result is:
The user can edit all non private issues.

I think it is expected behavior. The RedmineRoles page says that "If a member has multiple roles in a project, the permissions applied to the member is the combination of all roles' permissions".

That probably depends on the interpretation of "combination". As an example, if one role contains the numbers 10 to 12 and the second role the numbers the numbers 15 to 17, I would expect the combination of both roles to include 10,11,12,15,16,17. You seem to suggest, that the combination includes 10 through to 17, which I personally wouldn't expect. In the specific example brought up by Adnan I would expect the combination to be "view all issues and edit the ones created by or assigned to the user", not "view and edit all issues".

#4 Updated by Go MAEDA over 1 year ago

Matthias Lehmann wrote:

Go MAEDA wrote:

Adnan Topçu wrote:

There are two roles:
  1. RolA: issue visibiliti setting is "Issues created by or assigned to the user" and it has issue edit permissions.
  2. RolB: issue visibiliti setting is "All non private issues" and it has issue view permissions, do not edit!

If an user has both of RolA and RolB roles result is:
The user can edit all non private issues.

I think it is expected behavior. The RedmineRoles page says that "If a member has multiple roles in a project, the permissions applied to the member is the combination of all roles' permissions".

That probably depends on the interpretation of "combination". As an example, if one role contains the numbers 10 to 12 and the second role the numbers the numbers 15 to 17, I would expect the combination of both roles to include 10,11,12,15,16,17.

Redmine behaves exactly like that.

#5 Updated by Go MAEDA 12 months ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

Also available in: Atom PDF