Defect #36549

Issues with watchers and restricted tickets

Added by Tim G 5 months ago. Updated 5 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues
Target version:-
Resolution:Invalid Affected version:4.2.0

Description

Hello everyone,

we have a restricted project, where only certrain user groups are able to see the tickets. We have a plugin, which enables users, who assigned as Watcher to tickets of this restricted project are able to edit those tickets like usual, but the rest of the "normal users" cant see it.

I have discovered that I'm able to assign any user (even users with no permissions) as a Watcher to new Tickets upon ticket creation, but when the ticket is finally created and I want to add more watchers afterwards, I can only select the users who are permitted to this project. Please see Screenshots.

Is there a way to fix this? Maybe there is also a plugin, which is capable of fixing this. I would even pay for it, to be honest.

Environment:
Redmine version 4.2.0.stable
Ruby version 2.7.2-p137 (2020-10-01) [x86_64-linux]
Rails version 5.2.5
Environment production
Database adapter Mysql2
Mailer queue ActiveJob::QueueAdapters::AsyncAdapter
Mailer delivery smtp
SCM:
Subversion 1.13.0
Git 2.25.1
Filesystem
Redmine plugins:
redmine_auditlog 0.0.5
redmine_ckeditor 1.2.3
redmine_extended_watchers 4.1.1

Screenshot_100.png (32.1 KB) Tim G, 2022-01-31 16:09

Screenshot_98.png (29.3 KB) Tim G, 2022-01-31 16:09


Related issues

Related to Redmine - Patch #33329: Improve watchers functionality to mark the users that are... Closed

History

#1 Updated by Tim G 5 months ago

In other words, I would like to be able to add any of my 1000 users as watcher to this ticket and not just the 50 accounts who are permitted to it.

#2 Updated by Holger Just 5 months ago

  • Related to Patch #33329: Improve watchers functionality to mark the users that are watching a non visible object and to not return watchers that cannot see the object added

#3 Updated by Tim G 5 months ago

@Holger: Do you think the installation of the 3 patches will help?

BR,
Tim

#4 Updated by Holger Just 5 months ago

The three patches are part of Redmine already (since Redmine 4.2).

However, I believe that the patch 0002 from #33329 is the cause of your issue as it specifically filters out any users from the list of possible watchers who can not view the issue right now. Unfortunately, this defeats your use-case as only by adding the user as a watcher, they will be able to view it.

We (as in the folks of https://plan.io) are currently investigating this further. Once we have more info, we'll post it here.

#5 Updated by Marius BALTEANU 5 months ago

  • Status changed from New to Needs feedback

I'm the author of those patches. Watchers are designed only for notifications purposes and not for issue visibility (#8488). If "redmine_extended_watchers" changes the core behaviour, it should change also the behaviour added by #33329.

Holger, can I close this ticket?

#6 Updated by Tim G 5 months ago

@Holger & @Marius: Thanks for the answers first of all. Sadly I need to tell you, that we have already upgraded to 4.2.3 and the problems are still there. Are there any files or Plugins which would fix it maybe?

Yes true, we're using the redmine_extended_watchers plugin, because we want to make sure that only watchers or assignees get access to certrain tickets. Furthermore we want to ensure that those people can edit the tickets.

BR,
Tim

#7 Updated by Tim G 5 months ago

@Holger & Marius:

We have now solved the problem by commenting out the following 3 lines from the watchers_controller.rb

+ # if watchable_object.respond_to?(:visible?)
+ # users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)}
+ # end

Ticket can be closed :)

BR,
Tim

#8 Updated by Marius BALTEANU 5 months ago

  • Status changed from Needs feedback to Closed
  • Resolution set to Invalid

Tim G wrote:

Ticket can be closed :)

BR,
Tim

Thanks!

Also available in: Atom PDF