Project

General

Profile

Actions

Defect #34221

closed

Multiple roles for one user override ticket editing permissions

Added by Matthias Lehmann about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Permissions and roles
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

I’ve created a user (Testuser) and assigned two roles to him (Role A & Role B). Role A is limited to view and add tickets (in Administration / Roles / Permissions overview).
Role B is additionally allowed to edit tickets (also from the general permissions overview), which is then restricted again via Administration / Workflow / Field permissions, to only be allowed to change certain fields depending on the state of the ticket.
If that Testuser then edits a ticket, he’s allowed to change essentially all fields. If I remove the allocation of Role A, the number of fields he’s allowed to edit is consistent with the settings made for Role B.

This issue is probably linked to #13360

The system is as follows:
Ruby 2.6.5-p114
Rails 5.2.4.1
SQLite Database
no plugins installed

Actions #1

Updated by Go MAEDA about 4 years ago

Matthias Lehmann wrote:

I’ve created a user (Testuser) and assigned two roles to him (Role A & Role B). Role A is limited to view and add tickets (in Administration / Roles / Permissions overview).
Role B is additionally allowed to edit tickets (also from the general permissions overview), which is then restricted again via Administration / Workflow / Field permissions, to only be allowed to change certain fields depending on the state of the ticket.
If that Testuser then edits a ticket, he’s allowed to change essentially all fields. If I remove the allocation of Role A, the number of fields he’s allowed to edit is consistent with the settings made for Role B.

I think it is the expected behavior. Testuser has all permissions assigned to the two roles.

1. Testuser has edit_issues permission via Role B
2. Testuser also has read/write permission for all fields via Role A
3. Testuser is allowed to update all fields because the user has edit_issues permission and read/write permission for all fields

Actions #2

Updated by Go MAEDA about 4 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid
Actions

Also available in: Atom PDF