Defect #16329


right click on an issue ignore fields permissions

Added by Maxime Vez almost 10 years ago. Updated over 2 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected version:


From the issues list view, a right click on an issue let me change the tracker type of this issue, whereas when editing this issue I have no choice to change this Tracker type.

the latter behavior is conform to the field permissions I set up. I don't want people being able to change the type of tracker, it's a very big risk of loosing data.


right click.png (6.28 KB) right click.png can chagne the tracker from a right click Maxime Vez, 2014-03-13 06:01
fields permissions.png (7.52 KB) fields permissions.png impossible to change the tracker type Maxime Vez, 2014-03-13 06:01
edit tracker.png (4.52 KB) edit tracker.png edit : impossible to chagne the tracker type Maxime Vez, 2014-03-13 06:01
Actions #1

Updated by Maxime Vez almost 10 years ago

Could you confirm this as a bug, or ask me more details, or explain why it's not be a bug ? thank you.

Actions #2

Updated by Maxime Vez almost 10 years ago

I made multiple test with different configurations, and all of them have this problem. On list view we can affect whatever new tracker to the issue, which is not possible on the per issue view.
Even if my user don't have the right to delete issues, simply by changing their tracker result in a data lost. This is a serious bug imo.

Actions #3

Updated by Toshi MARUYAMA almost 10 years ago

  • Category set to Issues
Actions #4

Updated by Maxime Vez almost 10 years ago

So actually one can select a new tracker from the list view using the right click, but in fact even though it will dsplay a message of successthe tracker is actually not really changed. And so no risk of data loss. So It's rather a "display bug" than a serious bug. The not-allowed tracker type should just not be displayed by a right click to avoid confusion.
Sorry for the description, at the time I just looked at the "successfully updated" message, and thought the operation was indeed successfull (wheras it was not, so not data loss, so no big deal). Still there is a bug.

Actions #5

Updated by Go MAEDA over 2 years ago

  • Status changed from New to Confirmed
Actions #6

Updated by Takenori TAKAKI over 2 years ago

To fix this problem, I think it is enough to check that @safe_attributes contains 'tracker_id' as well as other attributes.
I will post the patch below.

diff --git a/app/views/context_menus/issues.html.erb b/app/views/context_menus/issues.html.erb
index f39beef182..4b4605407f 100644
--- a/app/views/context_menus/issues.html.erb
+++ b/app/views/context_menus/issues.html.erb
@@ -30,7 +30,7 @@
   <% end %>

-  <% if @trackers.present? %>
+  <% if @safe_attributes.include?('tracker_id') && @trackers.present? %>
   <li class="folder">
     <a href="#" class="submenu"><%= l(:field_tracker) %></a>

Also available in: Atom PDF