Defect #20206
closed
Members w/o view issues permission are able to list issues on public projects if the non member role has the permission
Added by Toshi MARUYAMA over 9 years ago.
Updated over 9 years ago.
Description
Direct links return 403.
- /issues/<id>
- /projects/<id>/issues
But issues of project with no "View Issues" role are listed on "View all issues".
This happens because your "Non member" role has the "View issues" permission.
Issue.visible and Issue#visible? doesn't behave the same in this particular case. Issue.visible considers the non member permissions even for members, but Issue#visible? does not. I think that members should not have less permissions than non members and behaviour should be aligned on the Issue.visible scope.
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
- Subject changed from "View all issues"lists issues nevertheless role has no "View Issues" to Members w/o view issues permission are able to list issues on public projects if the non member role has the permission
- Related to Defect #19602: Non-Reporter role cannot see issue list added
Also available in: Atom
PDF