Defect #16329
openright click on an issue ignore fields permissions
0%
Description
From the issues list view, a right click on an issue let me change the tracker type of this issue, whereas when editing this issue I have no choice to change this Tracker type.
the latter behavior is conform to the field permissions I set up. I don't want people being able to change the type of tracker, it's a very big risk of loosing data.
Files
Updated by Maxime Vez over 10 years ago
Could you confirm this as a bug, or ask me more details, or explain why it's not be a bug ? thank you.
Updated by Maxime Vez over 10 years ago
I made multiple test with different configurations, and all of them have this problem. On list view we can affect whatever new tracker to the issue, which is not possible on the per issue view.
Even if my user don't have the right to delete issues, simply by changing their tracker result in a data lost. This is a serious bug imo.
Updated by Maxime Vez over 10 years ago
So actually one can select a new tracker from the list view using the right click, but in fact even though it will dsplay a message of successthe tracker is actually not really changed. And so no risk of data loss. So It's rather a "display bug" than a serious bug. The not-allowed tracker type should just not be displayed by a right click to avoid confusion.
Sorry for the description, at the time I just looked at the "successfully updated" message, and thought the operation was indeed successfull (wheras it was not, so not data loss, so no big deal). Still there is a bug.
Updated by Takenori TAKAKI about 3 years ago
To fix this problem, I think it is enough to check that @safe_attributes contains 'tracker_id' as well as other attributes.
I will post the patch below.
diff --git a/app/views/context_menus/issues.html.erb b/app/views/context_menus/issues.html.erb
index f39beef182..4b4605407f 100644
--- a/app/views/context_menus/issues.html.erb
+++ b/app/views/context_menus/issues.html.erb
@@ -30,7 +30,7 @@
</li>
<% end %>
- <% if @trackers.present? %>
+ <% if @safe_attributes.include?('tracker_id') && @trackers.present? %>
<li class="folder">
<a href="#" class="submenu"><%= l(:field_tracker) %></a>
<ul>