Defect #25258
closedField permissions ignored if the user and the group one belongs to share the same role
0%
Description
I've marked version 3.0.0 as the affected one because in Debian the package is versioned as 3.0~20140825, but the code suggests that the current Redmine might still be affected.
As stated in the subject, when there is a following situation:
User 9 gets its role (6) directly and from the group's (12) role. For role 6 there is a "required" flag for some field.
# select member_roles.id, role_id, member_id, user_id, inherited_from, type from member_roles join members on member_roles.member_id = members.id join users on user_id = users.id where user_id in (9, 12); id | role_id | member_id | user_id | inherited_from | type ----+---------+-----------+---------+----------------+------- 33 | 6 | 13 | 12 | | Group 38 | 6 | 15 | 9 | 33 | User 29 | 6 | 15 | 9 | | User (3 rows)
Field permissions (like "required") are ignored which leads to a workflow violation.
The reason is that in models/issue.rb
inside workflow_rule_by_attribute()
there is a line next if rules.size < roles.size
. When a role for the user comes from both directly the user and the group, the same role is returned twice by roles_for_project()
and the condition becomes true. In consequence the returned result of workflow_rule_by_attribute()
is empty.
I propose changing one line in models/user.rb
in roles_for_project()
, i.e. from membership.roles
to membership.roles.uniq
. A short patch attached.
Note to future self: next if rules.size < roles.size
means "don't apply permissions if for the field for any of the roles there is none set (inherited lack of restrictions)".
Files
Related issues