Actions
Defect #23175
closedTicket overview table on project page (from 3.2) exposes trackers to user roles with insufficient permissions
Status:
Closed
Priority:
High
Assignee:
-
Category:
Projects
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Fixed
Affected version:
Description
Let's say you have a project "A" with internal and external users.
And then there's project "B" which is a subproject of "A" and only internal users are allowed.
The internal project "B" uses the same trackers like project "A" plus some additional ones.
When an external user accesses the project "A" project page (overview) it can see the project-"B"-only trackers in the ticket overview table.
At least, the ticket counter is set to "0" in all columns, but still I would expect the tracker beeing hidden when the user role cannot access it!
This problem exists since Redmine 3.2
Actions