Project

General

Profile

Actions

Feature #35044

open

Show notice on project's overview page when the project is public

Added by Go MAEDA over 3 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Projects
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

I suggest that when a project is set to public, the project overview page should show that the project is public and a message describes its impact. The message shown is the same as the one shown in the project settings page improved in #27009.

Although setting the project public sometimes may be dangerous, you cannot know if the project is public unless seeing the project's settings page.

It will be easier to notice if the project is set as public by showing the fact in the Members box. Since the Members box shows users who have access to the project, I think it is consistent to show if the project is visible by non-members or anonymous users.


Files

public-status-in-members-box.png (44.2 KB) public-status-in-members-box.png Go MAEDA, 2021-04-06 17:59
0001-Add-test.patch (2.65 KB) 0001-Add-test.patch Mizuki ISHIKAWA, 2021-05-08 09:23
0002-Add-project-public-badge.patch (2.6 KB) 0002-Add-project-public-badge.patch Mizuki ISHIKAWA, 2021-05-08 09:23
screenshot.png (300 KB) screenshot.png Mizuki ISHIKAWA, 2021-05-08 09:26

Related issues

Related to Redmine - Patch #27009: Clarify consequences of disabling the login_required settingClosedGo MAEDA

Actions
Actions #1

Updated by Go MAEDA over 3 years ago

The following code is a sample implementation.

diff --git a/app/views/projects/_members_box.html.erb b/app/views/projects/_members_box.html.erb
index e915ab910..72d7fb97b 100644
--- a/app/views/projects/_members_box.html.erb
+++ b/app/views/projects/_members_box.html.erb
@@ -4,5 +4,10 @@
     <% @principals_by_role.keys.sort.each do |role| %>
       <p><span class="label"><%= role %>:</span> <%= @principals_by_role[role].sort.collect{|p| link_to_user p}.join(", ").html_safe %></p>
     <% end %>
+    <% if @project.is_public %>
+      <hr>
+      <p span class="label"><%= l(:field_is_public) %>:</span> <%= l(:general_text_Yes) %>
+      <em class="info"><%= Setting.login_required? ? l(:text_project_is_public_non_member) : l(:text_project_is_public_anonymous) %></em>
+    <% end -%>
   </div>
   <% end %>
</diff>
Actions #2

Updated by Go MAEDA over 3 years ago

  • Related to Patch #27009: Clarify consequences of disabling the login_required setting added
Actions #3

Updated by Mizuki ISHIKAWA over 3 years ago

+1

Private information may be leaked if the settings are mistakenly made public when creating a project.
I think this feature is needed to quickly notice that the project is open to the public.

Actions #4

Updated by Kevin Fischer over 3 years ago

+1

On a somewhat related note:
About 1 month ago we also implemented and posted a patch for a new permission for publishing projects in response to #9029 . Maybe this could be considered for Redmine 5.0 ? It would surely help to counter the security concerns regarding public projects....

Actions #5

Updated by Marius BĂLTEANU over 3 years ago

Maybe we should add a Public badge next to Overview title as we have for issues and versions.

Actions #6

Updated by Mizuki ISHIKAWA over 3 years ago

I have attached a patch that adds a test to #35044#note-1. => 0001-Add-test.patch

I also made 0002-Add-project-public-badge.patch to add a badge based on the opinion of #35044#note-5. Please let me know if you need to separate the issue.

These patches were developed with Ko Nagase and Akihiro MATOBA .

Actions #7

Updated by Go MAEDA over 3 years ago

Mizuki ISHIKAWA wrote:

I have attached a patch that adds a test to #35044#note-1. => 0001-Add-test.patch

I also made 0002-Add-project-public-badge.patch to add a badge based on the opinion of #35044#note-5. Please let me know if you need to separate the issue.

Thank you for the patch but I think it is better to post as a new issue because the feature implemented by the patch is very different from the original proposal.

In addition, I suggest the following improvements:

  • The badge is for a single project, the noun should be singular ("projects" -> "project")
  • Maybe "public project" is too long. I think "public" is enough
  • The color #d22 is too prominent. Also, the red color gives a wrong impression that the public project itself is dangerous and bad. Making a project public is not dangerous. The danger is that you will set it up incorrectly
Actions #8

Updated by Mizuki ISHIKAWA over 3 years ago

Go MAEDA wrote:

Thank you for the patch but I think it is better to post as a new issue because the feature implemented by the patch is very different from the original proposal.

In addition, I suggest the following improvements:

  • The badge is for a single project, the noun should be singular ("projects" -> "project")
  • Maybe "public project" is too long. I think "public" is enough
  • The color #d22 is too prominent. Also, the red color gives a wrong impression that the public project itself is dangerous and bad. Making a project public is not dangerous. The danger is that you will set it up incorrectly

Thank you for your feedback.
I made a new issue #35221 and attached a new patch that was modified based on the feedback.

Actions #9

Updated by Marius BĂLTEANU over 3 years ago

We should show this info only once on this page and the members box is not the best option because the project visibility is an attribute of the project, not of the members. Also, in projects with multiple members or news, the information will be visibile only after more or less scroll.

From my point of view, having the bagde with a title attribute should be enough. If you don’t like this approach, then we should show this info in the project attributes box (top left).

Actions #10

Updated by Marius BĂLTEANU over 3 years ago

One more thing, project content visibility depends on the rights configured for anonymous/non member roles, maybe the message should be more specific because the current one says that the content is publicly available. Also, in an era of SaaS/cloud applications, we should avoid using the word network. .

Actions #11

Updated by Go MAEDA over 3 years ago

What I wanted to show in the members box is public not whether the project is public or not, but anonymous users and nonmembers can access the project.

I think it would be good to discuss how to indicate that a project is public, based on the patch in #35221.

Actions #12

Updated by Marius BĂLTEANU over 3 years ago

Go MAEDA wrote:

What I wanted to show in the members box is public not whether the project is public or not, but anonymous users and nonmembers can access the project.

I understand now and I think it's a valuable information.

I think it would be good to discuss how to indicate that a project is public, based on the patch in #35221.

Ok, I will add my proposals there in the following days.

Actions

Also available in: Atom PDF