Defect #34221
closedMultiple roles for one user override ticket editing permissions
0%
Description
I’ve created a user (Testuser) and assigned two roles to him (Role A & Role B). Role A is limited to view and add tickets (in Administration / Roles / Permissions overview).
Role B is additionally allowed to edit tickets (also from the general permissions overview), which is then restricted again via Administration / Workflow / Field permissions, to only be allowed to change certain fields depending on the state of the ticket.
If that Testuser then edits a ticket, he’s allowed to change essentially all fields. If I remove the allocation of Role A, the number of fields he’s allowed to edit is consistent with the settings made for Role B.
This issue is probably linked to #13360
The system is as follows:
Ruby 2.6.5-p114
Rails 5.2.4.1
SQLite Database
no plugins installed
Updated by Go MAEDA about 4 years ago
Matthias Lehmann wrote:
I’ve created a user (Testuser) and assigned two roles to him (Role A & Role B). Role A is limited to view and add tickets (in Administration / Roles / Permissions overview).
Role B is additionally allowed to edit tickets (also from the general permissions overview), which is then restricted again via Administration / Workflow / Field permissions, to only be allowed to change certain fields depending on the state of the ticket.
If that Testuser then edits a ticket, he’s allowed to change essentially all fields. If I remove the allocation of Role A, the number of fields he’s allowed to edit is consistent with the settings made for Role B.
I think it is the expected behavior. Testuser has all permissions assigned to the two roles.
1. Testuser has edit_issues permission via Role B
2. Testuser also has read/write permission for all fields via Role A
3. Testuser is allowed to update all fields because the user has edit_issues permission and read/write permission for all fields
Updated by Go MAEDA about 4 years ago
- Status changed from New to Closed
- Resolution set to Invalid