Defect #37007
open
Switching project in "New Issue" shows wrong fields and uses disallowed default tracker
0%
Description
The problem occurs both in our production environment
Environment: Redmine version 4.2.3.stable.21378 Ruby version 2.5.5-p157 (2019-03-15) [x86_64-linux-gnu] Rails version 5.2.6 Environment production Database adapter Mysql2 Mailer queue ActiveJob::QueueAdapters::AsyncAdapter Mailer delivery sendmail SCM: Subversion 1.10.4 Git 2.33.1 Filesystem Redmine plugins: redmine_agile 1.6.2 redmine_checklists 3.1.20 redmine_theme_changer 0.4.0
and our test environment for the update to Redmine 5.0.0
Environment: Redmine version 5.0.0.stable.21535 Ruby version 2.5.5-p157 (2019-03-15) [x86_64-linux-gnu] Rails version 6.1.5 Environment production Database adapter Mysql2 Mailer queue ActiveJob::QueueAdapters::AsyncAdapter Mailer delivery sendmail Redmine settings: Redmine theme Default SCM: Subversion 1.10.4 Mercurial 4.8.2 Git 2.33.1 Filesystem Redmine plugins: redmine_agile 1.6.4 redmine_checklists 3.1.21 redmine_theme_changer 0.5.0
Both are using MariaDB 10.6.
We have our permissions set up so new tickets by the affected role ("Manager Extern") can only be created in the tracker Inbox and the user can not select an assignee.
We have three projects, two of them child-projects of the third but without inherit members. A user is a member with the affected role in both of them (but not the third). The Project field that makes this issue possible does not appear in unrelated projects it seems. In my minimal tests I did not enable the Agile plugin modules in the test projects.
The Inbox Tracker setup works when creating an issue the normal way (without changing the Project field) but when using the "New Issue" button while in Project A and then changing the Project field to Project B (even though the user has the same role in both) the assignee field becomes visible in the create issue form, custom fields of the project are not displayed correctly and - even though the tracker field does not become visible - the issue is created in the global default tracker (Fehler) instead of the Inbox tracker.
I would expect the permissions for visible fields and tracker restrictions on newly created issues to be honoured even when tickets are created via this route and of course the displayed form fields to reflect that.
Forms before and after changing the project field (keep in mind both projects are configured exactly identically):
Files
Updated by Matthias Hörmann over 2 years ago
Oh, and in the logs I noticed the POST Parameters contain the selected project id numerically but the one of the project displayed before hitting new issue in slug-form at the end.
Updated by Matthias Hörmann over 2 years ago
The Parameter issue with project_id appearing twice also seems to affect the POST to /projects/.../issues/new.js which is presumably what updates the form.
There it also seems to load the default tracker in
D, [2022-04-22T12:48:08.556037 #26315] DEBUG -- : [apache-198-1650624488532543] Tracker Load (0.4ms) SELECT `trackers`.* FROM `trackers` INNER JOIN `projects_trackers` ON `trackers`.`id` = `projects_trackers`.` tracker_id` WHERE `projects_trackers`.`project_id` = 92 ORDER BY `trackers`.`position` ASC LIMIT 1
(id 92 is the one for specified in the request via the slug, not the numeric one that was selected in the input field). There is no tracker/tracker_id in the parameters.
Updated by Matthias Hörmann over 2 years ago
This problem still occurs with 5.0.2 and is frequently "exploited" by our customers.
Updated by Dimitar (RedmineUP) almost 2 years ago
Hi Matthias,
This is Dimitar from the RedmineUP Support Team.
I see that you have some of our plugins on your list:
redmine_agile 1.6.2 redmine_checklists 3.1.20
So, could you please contact our support team at support@redmineup.com? And our support engineers will help you investigate the situation.
We look forward to hearing from you.
Best Regards,
Dimitar from the RedmineUP Support Team