Defect #25607
open
Users can't see issues they've been assigned to.
Added by Serghei Zagorinyak over 7 years ago.
Updated almost 7 years ago.
Category:
Permissions and roles
Description
As tracker visibility for roles was introduced, it has become possible to assign a user to an issue that can't be viewed by this user.
Preconditions:
1. User_1 with a role that can be assigned to issues and has no access to some tracker (tracker_1).
2. User_2 with a role that can edit tracker_1 issues.
Steps to reproduce:
1. User_2 assigns User_1 to issue_1 with tracker_1
Expected behavior:
1. User_1 can access issue_1 while he is assigned to it
Current behavior:
1. User_1 cannot access issue_1 though he is assigned to it.
I see here two possible expected behaviors (may be more) :
The solution you said :
- User_2 assigns User_1 to issue_1 with tracker_1 (that User_1 cannot see)
- User_1 can access issue_1 while he is assigned to it even if not allowed to see tracker_1
Another solution :
- User_2 can't assign User_1 to issue_1 with tracker_1 (because User_1 cannot see), specifically, User_1 doesn't appears in the assign_to choices
Is someone have another solution or is open to challenge those both solutions ?
I volunteer to implement the fix once discussed.
Thanks !
I'm interested in implementing it the way I suggested :) Or at least in providing some mechanism to override tracker visibility restrictions. Sometimes it may be necessary to allow access to issues that otherwise should not be seen by users. IMO, giving user a new role is a bad option in this case, cause this will lead to opening all issues of the kind to him whilst only one is required.
It may be a better option to prohibit assigning users to trackers they can't access, but to allow adding them as watchers thus letting them see issues even when tracker visibility rules say otherwise.
For sure, this issue seems tough to find the right middle.
Here's what I see as a possible solution from what we both propose, let me know what you think.
User A : The user that can see always everything
User B : The user that cannot see the Tracker A
- User A try to assign Issue with Tracker A to User B, User A receive an flashbag error message "The user you try to assign to this issue cannot see this tracker".
- User A try to set Tracker A on issue that is already assigned to User B, User A receive an flashbag message "The user that is assigned to this issue cannot access this tracker, change Assigned_to value and try again".
About watchers I think that just make them cannot see the issue seems simply correct.
What do you think ?
David Côté-Tremblay wrote:
For sure, this issue seems tough to find the right middle.
Here's what I see as a possible solution from what we both propose, let me know what you think.
User A : The user that can see always everything
User B : The user that cannot see the Tracker A
- User A try to assign Issue with Tracker A to User B, User A receive an flashbag error message "The user you try to assign to this issue cannot see this tracker".
- User A try to set Tracker A on issue that is already assigned to User B, User A receive an flashbag message "The user that is assigned to this issue cannot access this tracker, change Assigned_to value and try again".
About watchers I think that just make them cannot see the issue seems simply correct.
What do you think ?
As for the first suggested option, I don't think that it makes sense to list users that can't be assigned to the issue. So besides this validation, I'd also propose to filter assigned_to user list removing invalid options.
As for the second case, I completely agree.
I didn't quite understand what you meant about watchers. If you mean that User B should see Tracker A issue when added as watcher to it, then it's ok.
I say do both with a setting per tracker =D
Also available in: Atom
PDF