Redmine

I think this is intended behavior of #5159.

This actually is a duplicate of #11724, where #9500 isn't actually tightly related. I'd suggest to keep this issue open because it contains a patch with tests.
Thanks for sharing this!

I had thought about that, and also about private issues (I'm still not 100% sure how those work, but IIRC watchers can see private issues too?), but I still think the current solution can be improved. The user pages for example still go to great lengths to make sure you can only see the user pages of users that have some activity in a project you can see source:/branches/2.3-stable/app/controllers/users_controller.rb#L68, probably to not disclose too many users.

I'm not really in favor of adding even more permissions, but what about a second permission for adding watchers: Rename the current permission to "Add any user as watcher" and "Add users you can see as watcher" or something similar?

Mischa The Evil wrote:

I'd suggest to keep this issue open because it contains a patch

Yes.

with tests.

No.

This currently should rather be considered a working and solid proof of concept, I especially wanted some discussion as to wether this behavior is intended, if it could or should be improved upon or if the Redmine core is happy with the current state and doesn't want to change it.

Felix Schäfer wrote:

[...] and also about private issues (I'm still not 100% sure how those work, but IIRC watchers can see private issues too?) [...]

The watcher mechanism is not (and should not) being used for access control. It is used for notification purposes only. See #8488.
(please post to the forum with questions about the current implementation of private issues, I'd be happy to catch you up on the subject ;)

but I still think the current solution can be improved.

I totally agree.

The user pages for example still go to great lengths to make sure you can only see the user pages of users that have some activity in a project you can see source:/branches/2.3-stable/app/controllers/users_controller.rb#L68, probably to not disclose too many users.

Yes, indeed. And I think this good. See r2986 which introduced these checks for #3720 and #4129.

I'm not really in favor of adding even more permissions, but what about a second permission for adding watchers: Rename the current permission to "Add any user as watcher" and "Add users you can see as watcher" or something similar?

That would solve the issue as far as I can see. Considering the nature of the issue I tend to think that it could justify adding such permission.

[...] I especially wanted some discussion as to wether this behavior is intended, if it could or should be improved upon or if the Redmine core is happy with the current state and doesn't want to change it.

As Toshi stated in note-3 it indeed seems the intended behavior as per #5159.
I definitely think it would be good if this is going to be improved. #11724 was filed initially as a defect, which I think this behavior is in the light of r2986.

Mischa The Evil wrote:

with tests.

No.

Hmm, I think I was a bit distracted and made a Freudian typo... ;)

Off-topic...Off-topic...