Defect #23175
closedTicket overview table on project page (from 3.2) exposes trackers to user roles with insufficient permissions
0%
Description
Let's say you have a project "A" with internal and external users.
And then there's project "B" which is a subproject of "A" and only internal users are allowed.
The internal project "B" uses the same trackers like project "A" plus some additional ones.
When an external user accesses the project "A" project page (overview) it can see the project-"B"-only trackers in the ticket overview table.
At least, the ticket counter is set to "0" in all columns, but still I would expect the tracker beeing hidden when the user role cannot access it!
This problem exists since Redmine 3.2
Updated by Jean-Philippe Lang over 8 years ago
- Status changed from New to Needs feedback
I confirm that 3.2 would display all the trackers that are enabled on the project and its subprojects.
But Redmine 3.3.0 behaves as you expect, the user won't see the additional trackers of the private subproject. Have you tried it with 3.3?
Updated by Tobias Fischer over 8 years ago
Alright, tested the new 3.3 release and as you said, the issue is fixed there.
Thanks and nevermind.
Updated by Jean-Philippe Lang over 8 years ago
- Status changed from Needs feedback to Resolved
- Resolution set to Fixed
Glad that it works as needed, thanks for the fast feedback.
Updated by Toshi MARUYAMA over 8 years ago
- Status changed from Resolved to Closed