Defect #35634
closed
Attachments deletable even though issue edit not permitted
Added by D G over 3 years ago.
Updated over 3 years ago.
Category:
Permissions and roles
Description
If role A has permission to edit issues in tracker X but not in tracker Y, members of this role can delete attachments in issues with tracker Y.
This commit fixes this for attachments_editable? r15476. Likewise this should be done in /app/models/issue.rb:
# Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_deletable?
def attachments_deletable?(user=User.current)
attributes_editable?(user)
end
Files
#24623 solves this issue but does a lot more...
- Status changed from New to Confirmed
Issue and given fix confirmed. Adding the given method to Issue fixes this by properly taking tracker permissions into account (i.e. :edit_issue permission needed for tracker Y to delete attachments attached to an issue with set tracker Y).
D G wrote:
#24623 solves this issue but does a lot more...
Indeed. It implements full CRUD-permissions for issue attachments. I think it would be nice to have it integrated into the core, however the provided patch as-is is pretty big and, sadly, is currently outdated and will likely break the existing test suite and comes without any test coverage for the new features itself.
I've had a quick look into the patch implementation though and it all seems properly implemented (albeit to obviously outdated checkouts). It shouldn't be all too hard to rebase it onto the current trunk. Updating the test suite for the patch and testing (for) and handling (of) any possible edge-cases will be most of the required work to get it ready for a decision on core integration.
- Assignee set to Marius BĂLTEANU
- Target version set to 4.1.5
I've added two patches:
- first one adds tests for r15476
- second one fixes this issue and add tests.
- Status changed from Confirmed to Resolved
- Status changed from Resolved to Closed
- Resolution set to Fixed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by