Actions
Feature #17747
open
Private roles
Status:
New
Priority:
Normal
Assignee:
-
Category:
Permissions and roles
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Description
This is a proposal for changing visibility of some project (non-)members, by using private roles.
Private roles could be used:
Private roles could be used:
- to give users access to a private project, without being visible as project members
f.e. read-only access (users can't be assignees or authors) - to change permissions of users to a public project, without being visible as project members
f.e. give trusted users (non contributors) the permission to create issue-relations on redmine.org
The visibility of users with a private role is equivalent to the "Non member" role
This implies certain changes:- a boolean-attribute "private" on roles
- private role and users with this role are not listed in project overview
- users with (only) a private role are not listed:
- in issue query - user-combobox (author, assignee, custom user field)
- in issue summary (assignee/author list)
- users with (only) a private role are visible (like non-members) if they acted on an issue (as author or when adding a note):
- in activity overview
- in issue detail
- in issue query if grouped by author/assignee
Note that a user can have a private role on a certain project, and a public role (member) on another project
Optional - permission "view private users"¶
If a user has the permission "view users with private role", then users with private roles are treated the same as users with public roles
Some related issues:¶
Files
Related issues
Updated by Toshi MARUYAMA about 10 years ago
- Related to Defect #7645: Issue summary should filter Assignee & Author lists added
Updated by Toshi MARUYAMA about 10 years ago
- Related to Feature #11724: Prevent users from seeing other users based on their project membership added
Updated by Wim DePreter over 9 years ago
With implementation of #11724, my requested optional permission "view private users" should be changed into an extra option for Users visibility, which should have 3 options:
- (existing) All active users
- (existing) All members of visible projects
- (new) All non-private members of visible projects
- Give readonly-access for a private project to users without being visible to other users (f.e. for reporting)
- Hide "internal" users (this is our case)
we have a private project per customer and: - all "internal" users should have access (via private role) to all customer projects
- "customer" user should only see
- other users of the same customer (by definition, customer user has only access to his project)
- account manager for that customer ("account manager" is a not-private role)
- none of the (other, i.e. different from the account manager) "internal" users
Updated by Wim DePreter over 9 years ago
I've no experience with Ruby, but inspired by (and building on) the modifications for #11724, I've created a patch.
It's very basic (created with trial and error), and maybe there are still some issues with it.
- A role is private if name begins with "private."
(this should be a new "private" attribute on roles, but I don't want to introduce database-changes with a patch) - Only administrator can assign a private role to a user/group
- Patch doesn't work for Custom User Fields (we don't use these, and I couldn't find how to filter the list)
- Role option user visibility = "Members of visible projects" is always considered as "All non-private members of visible projects"
- I've reverted a change from r13584 (users_controller.rb), because if user with private role (or non-member?) acts on an issue (or is assigned to an issue), user-detail should be visible
- I didn't find a way to filter the detailed view in issue-summary for assignees or authors, so a page 404 is shown instead (if current user can't see all members)
- Patch is tested in a single-user environment (bitnami-package), maybe there are some performance-issues
Updated by Toshi MARUYAMA over 9 years ago
- Related to Feature #6015: Private Users added
Updated by Toshi MARUYAMA over 9 years ago
- Related to Feature #13533: Concept for controlling visibility of users added
Updated by Filip Sabo almost 9 years ago
Can I apply this patch on Redmine 3.1.1? I also have bitnami package. I am getting a reject file project.rb.rej:
--- app/models/project.rb (revision 14045)
+++ app/models/project.rb (working copy)
@@ -31,7 +31,10 @@
has_many :time_entry_activities
has_many :members,
lambda { joins(:principal, :roles).
- where("#{Principal.table_name}.type='User' AND #{Principal.table_name}.status=#{Principal::STATUS_ACTIVE}") }
+ ## begin patch private role
+ #where("#{Principal.table_name}.type='User' AND #{Principal.table_name}.status=#{Principal::STATUS_ACTIVE}")}
+ where("#{Principal.table_name}.type='User' AND #{Principal.table_name}.status=#{Principal::STATUS_ACTIVE} AND #{Role.table_name}.name NOT LIKE 'private.%'")}
+ ## end patch private role
has_many :memberships, :class_name => 'Member'
has_many :member_principals,
lambda { joins(:principal).
Not sure why this happened. When I add private to developer role it is not private, it is visible in the project overview when the reporter logs in.
Thanks
Filip
Updated by Wim DePreter over 8 years ago
I've made some changes to my patch for Redmine 3.2
Usage:- A role is private if name of role begins with "private." (case-sensitive!)
- Only administrator can assign a private role to a user/group
- Patch has no impact on Custom Fields of type User, but it is possible in Redmine:
- to select which users (by role) are listed
- which users (by role) can see the custom field
Updated by Wim DePreter over 8 years ago
Wim DePreter wrote:
- I didn't find a way to filter the detailed view in issue-summary for assignees or authors, so a page 404 is shown instead (if current user can't see all members)
I've updated my latest patch, so that detailed issue summary for authors/assignees is possible for every user
Updated by Wim DePreter over 8 years ago
I've made some small changes:
- private roles are now visible in project-overview for admin-users
- undo (most of) my changes to user_controller.rb, because the patch is meant to hide the user-info of private-roles
- as a consequence, when user A with (only) a private role acts on an issue, and user B (without permission to view all users) tries to consult the user-info of user A, he will get an error-message 403 (not authorised).
- in the old version, all user-info of private members was available to all members (this could be a problem with confidentiality)
- I'm not totally happy with my modifications to principal.rb
- all private roles are still listed in user-info
Updated by Wim DePreter over 3 years ago
update patch for redmine 4.2 (still very basic, because i have no Ruby experience)
Actions