Defect #18855
closed
User with only Move Issue rights in the project can still create issues using mass copy!
0%
Description
I found this bug when I was trying to use a project with a list of issues as a template for other projects (process flow). I assigned members to custom role "Copy" which only allows viewing and moving issues. If, however, the user does not change the project (i.e. copy into other project), new issues will be created within the existing project where they do not have rights!
I am running 2.5.2 on a Bitnami stack. I do not have the chance to try 2.6.x at the moment.
Note - we use task instead of issue in our language file.
Custom Role Copy settings:¶
User does not have issue edit rights (correct)¶
User can copy multiple issues at once (correct)¶
Copy screenshot¶
Issues were added to existing project without regard to no Add Issue rights (not correct)¶
Files
Related issues
Updated by Scott Cunningham almost 10 years ago
I believe I have tracked down the problem.
Context menu Copy calls thebulk_edit function in issues_controller.rb:
- checks if user has move issue rights
- builds an allowed projects list by calling
allowed_target_projects_on_movein issue.rb: - which checks projects for move rights, not add rights...
So for copy, the program checks for move-out and move-in rights. But move-in rights is really add rights.
I think instead, move rights should be checked at source project and then add rights at destination project. This should block a user from copying issues into a project where they do not have add issue rights.
issues_controller.rb snippet
# Bulk edit/copy a set of issues
def bulk_edit
@issues.sort!
@copy = params[:copy].present?
@notes = params[:notes]
if User.current.allowed_to?(:move_issues, @projects) # <----------- this is correct: can user move/copy in the first place
@allowed_projects = Issue.allowed_target_projects_on_move # <-------- i think this is wrong: target projects should only be add rights
if params[:issue]
@target_project = @allowed_projects.detect {|p| p.id.to_s == params[:issue][:project_id].to_s}
if @target_project
target_projects = [@target_project]
end
end
end
target_projects ||= @projects
# Bulk edit/copy a set of issues
def bulk_edit
@issues.sort!
@copy = params[:copy].present?
@notes = params[:notes]
if User.current.allowed_to?(:move_issues, @projects) # <----------- this is correct: can user move/copy in the first place
@allowed_projects = Issue.allowed_target_projects_on_move # <-------- i think this is wrong: target projects should only be add rights
if params[:issue]
@target_project = @allowed_projects.detect {|p| p.id.to_s == params[:issue][:project_id].to_s}
if @target_project
target_projects = [@target_project]
end
end
end
target_projects ||= @projects
Updated by Scott Cunningham almost 10 years ago
I made a small patch and destination projects are now only ones with Add issue rights.
Unresolved: If the user does not change the project pull down from (No change), then new issues will still be created even when the permissions should not allow it. This is past my knowledge point now.
- Modify models\issue.rb file:
# Returns a scope of projects that user can move issues to def self.allowed_target_projects_on_move(user=User.current) Project.where(Project.allowed_to_condition(user, :move_issues)) end # Returns a scope of projects that user can add issues to # <--- new def self.allowed_target_projects_on_copy(user=User.current) # <--- new Project.where(Project.allowed_to_condition(user, :add_issues)) # <--- new end # <--- new - Modify controllers\issues_controller.rb file:
# Bulk edit/copy a set of issues def bulk_edit @issues.sort! @copy = params[:copy].present? @notes = params[:notes] if User.current.allowed_to?(:move_issues, @projects) #@allowed_projects = Issue.allowed_target_projects_on_move # <---- comment out @allowed_projects = Issue.allowed_target_projects_on_copy # <---- new line if params[:issue] @target_project = @allowed_projects.detect {|p| p.id.to_s == params[:issue][:project_id].to_s} if @target_project target_projects = [@target_project] end end end target_projects ||= @projects
Updated by Jean-Philippe Lang almost 10 years ago
- Target version set to Candidate for next major release
Updated by Jean-Philippe Lang almost 10 years ago
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Target version changed from Candidate for next major release to 3.0.0
- Resolution set to Fixed
Updated by Go MAEDA over 6 years ago
- Related to Patch #28311: Remove unused i18n key "permission_move_issues" added