Project

General

Profile

Actions

Defect #23175

closed

Ticket overview table on project page (from 3.2) exposes trackers to user roles with insufficient permissions

Added by Tobias Fischer over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Projects
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Let's say you have a project "A" with internal and external users.
And then there's project "B" which is a subproject of "A" and only internal users are allowed.
The internal project "B" uses the same trackers like project "A" plus some additional ones.

When an external user accesses the project "A" project page (overview) it can see the project-"B"-only trackers in the ticket overview table.
At least, the ticket counter is set to "0" in all columns, but still I would expect the tracker beeing hidden when the user role cannot access it!

This problem exists since Redmine 3.2

Actions

Also available in: Atom PDF