Actions
Defect #20206
closed
Members w/o view issues permission are able to list issues on public projects if the non member role has the permission
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Fixed
Affected version:
Description
Direct links return 403.
- /issues/<id>
- /projects/<id>/issues
But issues of project with no "View Issues" role are listed on "View all issues".
Related issues
Updated by Jean-Philippe Lang over 9 years ago
This happens because your "Non member" role has the "View issues" permission.
Issue.visible and Issue#visible? doesn't behave the same in this particular case. Issue.visible considers the non member permissions even for members, but Issue#visible? does not. I think that members should not have less permissions than non members and behaviour should be aligned on the Issue.visible scope.
Updated by Jean-Philippe Lang over 9 years ago
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Updated by Jean-Philippe Lang over 9 years ago
- Subject changed from "View all issues"lists issues nevertheless role has no "View Issues" to Members w/o view issues permission are able to list issues on public projects if the non member role has the permission
Updated by Toshi MARUYAMA over 9 years ago
- Related to Defect #19602: Non-Reporter role cannot see issue list added
Actions