Project

General

Profile

Actions

Defect #35634

closed

Attachments deletable even though issue edit not permitted

Added by D G over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
Permissions and roles
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

If role A has permission to edit issues in tracker X but not in tracker Y, members of this role can delete attachments in issues with tracker Y.

This commit fixes this for attachments_editable? r15476. Likewise this should be done in /app/models/issue.rb:

  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_deletable?
  def attachments_deletable?(user=User.current)
    attributes_editable?(user)
  end

Files

Actions #1

Updated by D G over 3 years ago

#24623 solves this issue but does a lot more...

Actions #2

Updated by Mischa The Evil over 3 years ago

  • Status changed from New to Confirmed

Issue and given fix confirmed. Adding the given method to Issue fixes this by properly taking tracker permissions into account (i.e. :edit_issue permission needed for tracker Y to delete attachments attached to an issue with set tracker Y).

D G wrote:

#24623 solves this issue but does a lot more...

Indeed. It implements full CRUD-permissions for issue attachments. I think it would be nice to have it integrated into the core, however the provided patch as-is is pretty big and, sadly, is currently outdated and will likely break the existing test suite and comes without any test coverage for the new features itself.
I've had a quick look into the patch implementation though and it all seems properly implemented (albeit to obviously outdated checkouts). It shouldn't be all too hard to rebase it onto the current trunk. Updating the test suite for the patch and testing (for) and handling (of) any possible edge-cases will be most of the required work to get it ready for a decision on core integration.

Actions #3

Updated by Marius BĂLTEANU over 3 years ago

  • Assignee set to Marius BĂLTEANU
  • Target version set to 4.1.5
Actions #4

Updated by Marius BĂLTEANU over 3 years ago

I've added two patches:
  • first one adds tests for r15476
  • second one fixes this issue and add tests.
Actions #6

Updated by Marius BĂLTEANU over 3 years ago

  • Status changed from Confirmed to Resolved

Patches committed.

Actions #7

Updated by Marius BĂLTEANU over 3 years ago

  • Status changed from Resolved to Closed
  • Resolution set to Fixed
Actions

Also available in: Atom PDF