Defect #34570

Misleading workflow/permission issue

Added by James Brady 10 months ago. Updated 9 months ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Permissions and roles
Target version:-
Resolution: Affected version:4.1.1

Description

I'm using the latest version of Turnkey Linux Redmine:
https://www.turnkeylinux.org/redmine

Environment:
  Redmine version                4.1.1.stable
  Ruby version                   2.6.6-p146 (2020-03-31) [x86_64-linux]
  Rails version                  5.2.4.2
  Environment                    production
  Database adapter               Mysql2
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                sendmail
SCM:
  Subversion                     1.10.4
  Git                            2.20.1
  Filesystem                     
Redmine plugins:
  no plugin installed

If a user is assigned multiple roles, any workflow defined on any role will affect that user, even if one of those roles has no editing issue edit permission.

Example:
  • Role 1
    • I don't remove Close status from all statuses in that role's Workflow.
    • I remove all edit permissions from Issue Tracking permissions.
  • Role 2
    • I remove Close status from all statuses from that role's Workflow.
    • I allow Edit Issues permission in Issue Tracking permissions.

If I assign a user both Role 1 and Role 2, he will be able to Close issues.

Not sure if you'd consider this a defect per se, but I just spent a chunk of time configuring a new redmine server at work, and it took me a bit to figure out why my users had the ability to close issues, even when the workflows I painstakingly defined for them appeared to prevent it.
It was because I was using multiple roles to control their access, and I hadn't edited the workflow of the other role to match, or at least not conflict.
The confusion is bolstered by the fact that you can't see the role in the dropdown on the Workflow edit page, to correct such a mistake, until you restore the edit permissions on that Role's edit page, in the Permission's section.

Since issue status workflows only really come into play for someone who has edit permission for Issues, I suggest that worfklows become effectively disabled for any role whenever that role loses edit permission for Issues.


Related issues

Related to Redmine - Defect #34284: In Role edit view the per tracker table only shows up whe... New
Follows Redmine - Defect #15988: Unexpected behaviour on issue fields for users that have ... Closed
Follows Redmine - Feature #285: Tracker role-based permissioning Closed

History

#1 Updated by Go MAEDA 10 months ago

James Brady wrote:

Example:
  • Role 1
    • I don't remove Close status from all statuses in that role's Workflow.
    • I remove all edit permissions from Issue Tracking permissions.
  • Role 2
    • I remove Close status from all statuses from that role's Workflow.
    • I allow Edit Issues permission in Issue Tracking permissions.

If I assign a user both Role 1 and Role 2, he will be able to Close issues.

It is normal behavior. A user with multiple roles has all permissions assigned to the roles. And the user also is allowed all status transitions configured for the roles.

Since the user in the example belongs to "Role 1" and "Role 2", all permissions and status transitions configured in both roles are available for the user. The user has "Edit issues" permission because it is allowed via "Role 2", and is allowed to change the status of an issue to "Close" because the transition is allowed via "Role 1".

#2 Updated by James Brady 10 months ago

I understand that the user has edit capability because the permissions are active on at least one of the roles.
I still suggest it's a bit unclear, on its face, that the workflow for the role without edit permission affects anything, particularly since that workflow cannot be edited while the edit permissions are off.

#3 Updated by Mischa The Evil 9 months ago

James Brady wrote:

[...]
The confusion is bolstered by the fact that you can't see the role in the dropdown on the Workflow edit page, to correct such a mistake, until you restore the edit permissions on that Role's edit page, in the Permission's section.

[...]
I still suggest it's a bit unclear, on its face, that the workflow for the role without edit permission affects anything, particularly since that workflow cannot be edited while the edit permissions are off.

I agree with James that this could be very unexpected behavior that could be hard to pin down especially due to the mentioned UI-issue.

Given that issues regarding this are repeatedly posted on redmine.org, I think that this should be at the least properly and thoroughly documented. But then, the whole current documentation (not only on these more advanced situations with workflow transitions/field permissions, (global-)permissions and their combined effect when also being applied through multiple roles, etc.) is pretty sparse to begin with.

@Everyone: feel free to update the wiki with the herein provided information.

#4 Updated by Mischa The Evil 9 months ago

  • Related to Defect #34284: In Role edit view the per tracker table only shows up when "View Issues" permission is selected added

#5 Updated by Mischa The Evil 9 months ago

  • Follows Defect #15988: Unexpected behaviour on issue fields for users that have multiple roles added

#6 Updated by Mischa The Evil 9 months ago

  • Follows Feature #285: Tracker role-based permissioning added

Also available in: Atom PDF