Project

General

Profile

Actions

Defect #37007

open

Switching project in "New Issue" shows wrong fields and uses disallowed default tracker

Added by Matthias Hörmann almost 2 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Issues permissions
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

The problem occurs both in our production environment

Environment:
  Redmine version                4.2.3.stable.21378
  Ruby version                   2.5.5-p157 (2019-03-15) [x86_64-linux-gnu]
  Rails version                  5.2.6
  Environment                    production
  Database adapter               Mysql2
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                sendmail
SCM:
  Subversion                     1.10.4
  Git                            2.33.1
  Filesystem
Redmine plugins:
  redmine_agile                  1.6.2
  redmine_checklists             3.1.20
  redmine_theme_changer          0.4.0

and our test environment for the update to Redmine 5.0.0

Environment:
  Redmine version                5.0.0.stable.21535
  Ruby version                   2.5.5-p157 (2019-03-15) [x86_64-linux-gnu]
  Rails version                  6.1.5
  Environment                    production
  Database adapter               Mysql2
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                sendmail
Redmine settings:
  Redmine theme                  Default
SCM:
  Subversion                     1.10.4
  Mercurial                      4.8.2
  Git                            2.33.1
  Filesystem
Redmine plugins:
  redmine_agile                  1.6.4
  redmine_checklists             3.1.21
  redmine_theme_changer          0.5.0

Both are using MariaDB 10.6.

We have our permissions set up so new tickets by the affected role ("Manager Extern") can only be created in the tracker Inbox and the user can not select an assignee.

We have three projects, two of them child-projects of the third but without inherit members. A user is a member with the affected role in both of them (but not the third). The Project field that makes this issue possible does not appear in unrelated projects it seems. In my minimal tests I did not enable the Agile plugin modules in the test projects.

The Inbox Tracker setup works when creating an issue the normal way (without changing the Project field) but when using the "New Issue" button while in Project A and then changing the Project field to Project B (even though the user has the same role in both) the assignee field becomes visible in the create issue form, custom fields of the project are not displayed correctly and - even though the tracker field does not become visible - the issue is created in the global default tracker (Fehler) instead of the Inbox tracker.

I would expect the permissions for visible fields and tracker restrictions on newly created issues to be honoured even when tickets are created via this route and of course the displayed form fields to reflect that.

Forms before and after changing the project field (keep in mind both projects are configured exactly identically):

Form before changing the project field

Form after changing the project field


Files

selection_20220422_132320.png (13 KB) selection_20220422_132320.png Matthias Hörmann, 2022-04-22 13:27
selection_20220422_132332.png (19.7 KB) selection_20220422_132332.png Matthias Hörmann, 2022-04-22 13:27
selection_20220422_132428.png (45.1 KB) selection_20220422_132428.png Matthias Hörmann, 2022-04-22 13:27
selection_20220422_135532.png (47.4 KB) selection_20220422_135532.png Form before changing the project field Matthias Hörmann, 2022-04-22 13:56
selection_20220422_135547.png (49.7 KB) selection_20220422_135547.png Form after changing the project field Matthias Hörmann, 2022-04-22 13:56
Actions #1

Updated by Matthias Hörmann almost 2 years ago

Oh, and in the logs I noticed the POST Parameters contain the selected project id numerically but the one of the project displayed before hitting new issue in slug-form at the end.

Actions #2

Updated by Matthias Hörmann almost 2 years ago

The Parameter issue with project_id appearing twice also seems to affect the POST to /projects/.../issues/new.js which is presumably what updates the form.

There it also seems to load the default tracker in

D, [2022-04-22T12:48:08.556037 #26315] DEBUG -- : [apache-198-1650624488532543]   Tracker Load (0.4ms)  SELECT `trackers`.* FROM `trackers` INNER JOIN `projects_trackers` ON `trackers`.`id` = `projects_trackers`.`
tracker_id` WHERE `projects_trackers`.`project_id` = 92 ORDER BY `trackers`.`position` ASC LIMIT 1

(id 92 is the one for specified in the request via the slug, not the numeric one that was selected in the input field). There is no tracker/tracker_id in the parameters.

Actions #3

Updated by Matthias Hörmann over 1 year ago

This problem still occurs with 5.0.2 and is frequently "exploited" by our customers.

Actions #4

Updated by Dimitar (RedmineUP) over 1 year ago

Hi Matthias,

This is Dimitar from the RedmineUP Support Team.

I see that you have some of our plugins on your list:

  redmine_agile                  1.6.2
  redmine_checklists             3.1.20

So, could you please contact our support team at ? And our support engineers will help you investigate the situation.

We look forward to hearing from you.

Best Regards,
Dimitar from the RedmineUP Support Team

Actions

Also available in: Atom PDF