Defect #1730
closed
Private projects with public subprojects disclose the parent project
Added by micah anderson over 16 years ago.
Updated almost 15 years ago.
Description
If you create a private project, the project is not visible to users who are not signed in. This is good and what is expected. However, if you add a subproject to this private project and make that subproject public, then the parent project becomes visible in the project list. This is unexpected, and probably should not happen.
This is using 0.7.devel.1625 (MySQL)
then the parent project becomes visible in the project list
What project list exactly ? The drop-down (quick jump) project list or the project list at /projects ?
The project list at /projects, as well as the pull down menu and the home page where it says "Latest Projects" all list the parent project that is not marked public.
This seems to be fixed in the new 0.8.0-RC1. Just tested it and private parent projects are only showed in the stated views when:
- the logged-in user has a role on the project itself
- or when the logged-in user has a role on a child project (though the user receives a 403-error when selecting the parent-project for which he doesn't have a role).
Please provide some feedback of your experiences... ;-)
- Status changed from New to Resolved
- % Done changed from 0 to 100
Hello,
I've just installed 0.80 and it does indeed look like this has been resolved.
Thanks a lot, redmine is truely great.
Mischa The Evil wrote:
This seems to be fixed in the new 0.8.0-RC1. Just tested it and private parent projects are only showed in the stated views when [...] the logged-in user has a role on a child project (though the user receives a 403-error when selecting the parent-project for which he doesn't have a role).
We probably shouldn't be displaying links to users that will 403 on them. :(
- Status changed from Resolved to Closed
- Resolution set to Fixed
Brad Beattie wrote:
Mischa The Evil wrote:
This seems to be fixed in the new 0.8.0-RC1. Just tested it and private parent projects are only showed in the stated views when [...] the logged-in user has a role on a child project (though the user receives a 403-error when selecting the parent-project for which he doesn't have a role).
We probably shouldn't be displaying links to users that will 403 on them. :(
This is fixed in the current trunk (which will become Redmine 0.9.0).
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by