Project

General

Profile

Actions

Defect #25258

closed

Field permissions ignored if the user and the group one belongs to share the same role

Added by Marcin Szewczyk over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Issues workflow
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

I've marked version 3.0.0 as the affected one because in Debian the package is versioned as 3.0~20140825, but the code suggests that the current Redmine might still be affected.

As stated in the subject, when there is a following situation:
User 9 gets its role (6) directly and from the group's (12) role. For role 6 there is a "required" flag for some field.

# select member_roles.id, role_id, member_id,
  user_id, inherited_from, type
  from member_roles
  join members on member_roles.member_id = members.id
  join users on user_id = users.id
  where user_id in (9, 12);
 id | role_id | member_id | user_id | inherited_from | type  
----+---------+-----------+---------+----------------+-------
 33 |       6 |        13 |      12 |                | Group
 38 |       6 |        15 |       9 |             33 | User
 29 |       6 |        15 |       9 |                | User
(3 rows)

Field permissions (like "required") are ignored which leads to a workflow violation.

The reason is that in models/issue.rb inside workflow_rule_by_attribute() there is a line next if rules.size < roles.size. When a role for the user comes from both directly the user and the group, the same role is returned twice by roles_for_project() and the condition becomes true. In consequence the returned result of workflow_rule_by_attribute() is empty.

I propose changing one line in models/user.rb in roles_for_project(), i.e. from membership.roles to membership.roles.uniq. A short patch attached.

Note to future self: next if rules.size < roles.size means "don't apply permissions if for the field for any of the roles there is none set (inherited lack of restrictions)".


Files

user.rb.patch (391 Bytes) user.rb.patch roles_for_project() returning only unique roles Marcin Szewczyk, 2017-03-03 23:56

Related issues

Has duplicate Redmine - Defect #19569: Field permissions not working properly with inherited membershipsClosedJean-Philippe Lang

Actions
Actions

Also available in: Atom PDF