Project

General

Profile

Actions

Defect #23655

closed

Restricted permissions for non member/anonymous on a given project not working

Added by Alexander Schittler over 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
Permissions and roles
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

When assigning a custom role "Non-member user", permission inheritance is broken (or simply undefined behavior because the Yes/No/Never model does not apply) on some views, when:

  • The default "Non-member user" role has View Issue and Issue Visibility set to all.
  • The custom assigned role has View Issue, but Issue Visibility set to created and assigned.

With this setup, the user will be able to see Issues not related to them at /issues, but /issues/<id> will throw a 403.

This might affect other features that use role-based filtering too (e.g. Time Logs, Users).


Files

project-setting.png (18.7 KB) project-setting.png Toshi MARUYAMA, 2016-08-25 04:12
role.png (43.2 KB) role.png Toshi MARUYAMA, 2016-08-25 04:12
desired_member_settings.png (109 KB) desired_member_settings.png Holger Just, 2016-08-25 11:25
Redmine-2018-05-08-10-19-33.png (12.1 KB) Redmine-2018-05-08-10-19-33.png Jens Stein, 2018-05-08 10:32
TicketViewer - Rollen - Redmine-2018-05-08-10-30-58.png (47.8 KB) TicketViewer - Rollen - Redmine-2018-05-08-10-30-58.png Jens Stein, 2018-05-08 10:32
Actions

Also available in: Atom PDF