Defect #35090
Permission check of the setting button on the issues page mismatches button semantics
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | UI | |||
Target version: | 4.1.6 | |||
Resolution: | Fixed | Affected version: | 4.2.0 |
Description
In source:/tags/4.2.0/app/views/issues/index.html.erb#L16 the link goes to the issues
tab of the project settings. The button is only shown if the user has the manage_categories
permission but the permission required for this tab is edit_project
source:/tags/4.2.0/app/helpers/projects_helper.rb#L28
Note that this is only a UI issue, the button might be shown to users that cannot see the tab that it links to or the button might not be shown to users that would be able to see the tab that it links too, but upon following the link the correct permission is checked. There also is no information disclosure associated with this issue.
Related issues
Associated revisions
Permission check of the setting button on the issues page mismatches button semantics (#35090).
Patch by Takenori TAKAKI.
History
#1
Updated by Holger Just about 1 year ago
- Description updated (diff)
#2
Updated by Takenori TAKAKI 9 months ago
- File fix-35090.patch
added
I made a patch to fix & test the issue #35090, and attach it.
#3
Updated by Go MAEDA 9 months ago
- Related to Feature #22090: Make project settings more accessible added
#6
Updated by Go MAEDA 6 months ago
- Subject changed from Permission check mismatches button semantics to Permission check of the setting button on the issues page mismatches button semantics
- Status changed from Confirmed to Resolved
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the patch. Thank you for your contribution.