Restriction of user visibility isn't working with internal authentication
I'm using Redmine 3.3.1 (Debian Stretch). I have two authentication methods configured: internal and LDAP. In the Settings I use the following settings:
- User visibility: Members of visible projects
- Member management: All Roles
- Permissions: Manager members
I dicovered that the restriction to view only members of visible projects (in every project's members configruration) only works for users with LDAP authentication. If a user account uses the internal authentication it can view the list of all redmine user accounts.
Updated by Toshi MARUYAMA almost 6 years ago
I cannot reproduce on vanilla Redmine 3.3.5.
I got 404 on both of internal and ldap.
Philip Heise wrote:
If a user account uses the internal authentication it can view the list of all redmine user accounts.
Which form is the list?