Project

General

Profile

Actions

Defect #35045

closed

Mail handler bypasses add_issue_notes permission

Added by Holger Just over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Email receiving
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Following #33689, the distinction between the edit_issues permission and add_issue_notes was increased in that the edit permission does not encompass the permission to add notes on its own.

However, it is currently still possible for users with just the edit_issues permission but without the add_issue_notes permission to add notes to issues by "replying" to issue notification emails (if set up on that particular Redmine).

See https://www.redmine.org/projects/redmine/repository/entry/tags/4.1.2/app/models/mail_handler.rb#L228

In general, I believe that the edit_issues permission was originally intended to also encompass the add_issue_notes permission (since it doesn't make much sense to allow people to change any attribute of the issue but not to add notes). Instead, when the add_issue_notes permission was added, I believe it was intended to be given to users so that they can ONLY add notes but not change any other attribute. This detail appears to be interpreted differently later on, resulting in inconsistently applied permissions now.


Related issues

Related to Redmine - Feature #17599: Allow users to edit issues without adding notes.New

Actions
Actions

Also available in: Atom PDF