Project

General

Profile

Actions
Copy link

Defect #28069

open

Queries 403 error if query author is not in the roles list

Added by Stephane Evr almost 7 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Issues
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

How to reproduce (with vanilla redmine 3.4):

- Go to a project where you are a member with Role A
- create a query and save it. make it visible to Role B
- Save the query

Result:
- Error 403

In my opinion, a query should always be visible to its author, provided that he has sufficient rights to access the project.

How to fix it:
Here: https://github.com/redmine/redmine/blob/7fd04e1f8d36d78ee4f680d0a312c9eac2c65e90/app/models/query.rb#L339

In the case above, a simple check on user == self.user should fix the problem

Actions
Copy link
 #1

Updated by Go MAEDA almost 2 years ago

  • Category set to Issues
Actions
Copy link

Also available in: Atom PDF