Actions
Feature #17747
open
Private roles
Status:
New
Priority:
Normal
Assignee:
-
Category:
Permissions and roles
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Description
This is a proposal for changing visibility of some project (non-)members, by using private roles.
Private roles could be used:
Private roles could be used:
- to give users access to a private project, without being visible as project members
f.e. read-only access (users can't be assignees or authors) - to change permissions of users to a public project, without being visible as project members
f.e. give trusted users (non contributors) the permission to create issue-relations on redmine.org
The visibility of users with a private role is equivalent to the "Non member" role
This implies certain changes:- a boolean-attribute "private" on roles
- private role and users with this role are not listed in project overview
- users with (only) a private role are not listed:
- in issue query - user-combobox (author, assignee, custom user field)
- in issue summary (assignee/author list)
- users with (only) a private role are visible (like non-members) if they acted on an issue (as author or when adding a note):
- in activity overview
- in issue detail
- in issue query if grouped by author/assignee
Note that a user can have a private role on a certain project, and a public role (member) on another project
Optional - permission "view private users"¶
If a user has the permission "view users with private role", then users with private roles are treated the same as users with public roles
Some related issues:¶
Files
Related issues
Updated by Toshi MARUYAMA over 10 years ago
- Related to Defect #7645: Issue summary should filter Assignee & Author lists added
Updated by Toshi MARUYAMA over 10 years ago
- Related to Feature #11724: Prevent users from seeing other users based on their project membership added
Updated by Wim DePreter almost 10 years ago
With implementation of #11724, my requested optional permission "view private users" should be changed into an extra option for Users visibility, which should have 3 options:
- (existing) All active users
- (existing) All members of visible projects
- (new) All non-private members of visible projects
- Give readonly-access for a private project to users without being visible to other users (f.e. for reporting)
- Hide "internal" users (this is our case)
we have a private project per customer and: - all "internal" users should have access (via private role) to all customer projects
- "customer" user should only see
- other users of the same customer (by definition, customer user has only access to his project)
- account manager for that customer ("account manager" is a not-private role)
- none of the (other, i.e. different from the account manager) "internal" users
Updated by Wim DePreter almost 10 years ago
I've no experience with Ruby, but inspired by (and building on) the modifications for #11724, I've created a patch.
It's very basic (created with trial and error), and maybe there are still some issues with it.
- A role is private if name begins with "private."
(this should be a new "private" attribute on roles, but I don't want to introduce database-changes with a patch) - Only administrator can assign a private role to a user/group
- Patch doesn't work for Custom User Fields (we don't use these, and I couldn't find how to filter the list)
- Role option user visibility = "Members of visible projects" is always considered as "All non-private members of visible projects"
- I've reverted a change from r13584 (users_controller.rb), because if user with private role (or non-member?) acts on an issue (or is assigned to an issue), user-detail should be visible
- I didn't find a way to filter the detailed view in issue-summary for assignees or authors, so a page 404 is shown instead (if current user can't see all members)
- Patch is tested in a single-user environment (bitnami-package), maybe there are some performance-issues
Updated by Toshi MARUYAMA almost 10 years ago
- Related to Feature #6015: Private Users added
Updated by Toshi MARUYAMA almost 10 years ago
- Related to Feature #13533: Concept for controlling visibility of users added
Updated by Filip Sabo about 9 years ago
Can I apply this patch on Redmine 3.1.1? I also have bitnami package. I am getting a reject file project.rb.rej:
--- app/models/project.rb (revision 14045)
+++ app/models/project.rb (working copy)
@@ -31,7 +31,10 @@
has_many :time_entry_activities
has_many :members,
lambda { joins(:principal, :roles).
- where("#{Principal.table_name}.type='User' AND #{Principal.table_name}.status=#{Principal::STATUS_ACTIVE}") }
+ ## begin patch private role
+ #where("#{Principal.table_name}.type='User' AND #{Principal.table_name}.status=#{Principal::STATUS_ACTIVE}")}
+ where("#{Principal.table_name}.type='User' AND #{Principal.table_name}.status=#{Principal::STATUS_ACTIVE} AND #{Role.table_name}.name NOT LIKE 'private.%'")}
+ ## end patch private role
has_many :memberships, :class_name => 'Member'
has_many :member_principals,
lambda { joins(:principal).
Not sure why this happened. When I add private to developer role it is not private, it is visible in the project overview when the reporter logs in.
Thanks
Filip
Updated by Wim DePreter almost 9 years ago
I've made some changes to my patch for Redmine 3.2
Usage:- A role is private if name of role begins with "private." (case-sensitive!)
- Only administrator can assign a private role to a user/group
- Patch has no impact on Custom Fields of type User, but it is possible in Redmine:
- to select which users (by role) are listed
- which users (by role) can see the custom field
Updated by Wim DePreter almost 9 years ago
Wim DePreter wrote:
- I didn't find a way to filter the detailed view in issue-summary for assignees or authors, so a page 404 is shown instead (if current user can't see all members)
I've updated my latest patch, so that detailed issue summary for authors/assignees is possible for every user
Updated by Wim DePreter almost 9 years ago
I've made some small changes:
- private roles are now visible in project-overview for admin-users
- undo (most of) my changes to user_controller.rb, because the patch is meant to hide the user-info of private-roles
- as a consequence, when user A with (only) a private role acts on an issue, and user B (without permission to view all users) tries to consult the user-info of user A, he will get an error-message 403 (not authorised).
- in the old version, all user-info of private members was available to all members (this could be a problem with confidentiality)
- I'm not totally happy with my modifications to principal.rb
- all private roles are still listed in user-info
Updated by Wim DePreter almost 4 years ago
update patch for redmine 4.2 (still very basic, because i have no Ruby experience)
Actions