Defect #28069

Queries 403 error if query author is not in the roles list

Added by Stephane Evr over 3 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution: Affected version:

Description

How to reproduce (with vanilla redmine 3.4):

- Go to a project where you are a member with Role A
- create a query and save it. make it visible to Role B
- Save the query

Result:
- Error 403

In my opinion, a query should always be visible to its author, provided that he has sufficient rights to access the project.

How to fix it:
Here: https://github.com/redmine/redmine/blob/7fd04e1f8d36d78ee4f680d0a312c9eac2c65e90/app/models/query.rb#L339

In the case above, a simple check on user == self.user should fix the problem

Also available in: Atom PDF