Defect #35579

Label search for watcher shows all users of all projects when adding an new issue

Added by Pan Tau 4 months ago. Updated 4 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues permissions
Target version:-
Resolution:Cant reproduce Affected version:4.2.1

Description

If you want to add an new issue with some watchers,
than you can use the following function.

The problem is, that you will find all users of all existing projects.
There is no filtering on project or role rights.

So the users who is adding the new issue sees all users even he is not allowed to (data und privacy protection act).

Using the similar function on an existing issue seems to work alright.

Add_watcher.png (4.59 KB) Pan Tau, 2021-07-19 11:07

Search_with_usersearch.png (4.47 KB) Pan Tau, 2021-07-19 11:15

Watcher_function.png (1.72 KB) Pan Tau, 2021-07-19 11:29

Working_on_existing_issue.png (2.72 KB) Pan Tau, 2021-07-19 11:30

History

#1 Updated by Holger Just 4 months ago

  • Status changed from New to Needs feedback

Depending on your user's permissions you may be able to see all users or only some users in your Redmine. Basically., you can see all users if

  • you are an Admin
  • or if you are a member in any project with any role which grants you the permission to view all users

If you are only a member in projects with roles restricting you to view users in your projects, you should only be able to see users which are members of your projects.

I have tried to reproduce your description but was unable to find a case where this did not work as expected. Could you please provide more details here, specifically a detailed description of your project's, roles (and their permissions) and user memberships. Please try to define a minimal example which would allow us to reproduce your description based on a newly installed Redmine.

#2 Updated by Pan Tau 4 months ago

Thx for quick answer and help.
By reducing the projects step by step and testing afterwards i finally found out the project which was causing this problem.
This project contained an role with "Users visibility" for "All activ users".
I thought that the role option "Users visibility" only applies to the project it is assigned to, like the other role permissions.

Actually a user needs only one role with "Users visibility" for "All activ users" in one project and he can search in every project in watchers search for all users.

#3 Updated by Holger Just 4 months ago

  • Status changed from Needs feedback to Closed
  • Resolution set to Cant reproduce

Pan Tau wrote:

Thx for quick answer and help.
By reducing the projects step by step and testing afterwards i finally found out the project which was causing this problem.
This project contained an role with "Users visibility" for "All activ users".

Thank you for verifying this. In that case, the systems works as intended.

I thought that the role option "Users visibility" only applies to the project it is assigned to, like the other role permissions.

It is a bit special in that way, yes. However, even if the permission would only apply to one project, this wouldn't restrict the set of data visible to the user as they could then still enumerate all users in this project.

Note that for visibility of issues (including notifications), we still check if the watcher is able to see the issue. Just because they are a watcher, they don't necessarily have the ability to see the issue or to receive notifications for it.

Actually a user needs only one role with "Users visibility" for "All activ users" in one project and he can search in every project in watchers search for all users.

Correct, as explained above.

Also available in: Atom PDF