Project

General

Profile

Actions

Defect #3747

closed

"Issues" tab showing for users without any Issues permission

Added by Enderson Maia over 15 years ago. Updated about 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Permissions and roles
Target version:
-
Start date:
2009-08-17
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

I configured a Role with "Issues can be assigned to this role" unchecked and only with "View changests" permission checked for Repository access.

When I login with this user, I can see the "Issues" tab, and all issues.

Config

Redmine 0.8.4
Ruby on Rails 2.1.2
ruby 1.8.6 (2008-08-11 patchlevel 287) [x86_64-linux] Ruby Enterprise Edition 20090610
mysql  Ver 14.12 Distrib 5.0.45, for redhat-linux-gnu (x86_64) using readline 5.0
Actions #1

Updated by Enderson Maia over 15 years ago

The same occurs for the "News" tab.

Is this the expected behavior ?

Actions #2

Updated by Jean-Philippe Lang about 15 years ago

  • Status changed from New to Closed
  • Affected version (unused) deleted (0.8.4)
  • Resolution set to Invalid
  • Affected version deleted (0.8.4)

Yes, it is. Issues of public project can be seen by anyone.
See also #3187.

Actions #3

Updated by Enderson Maia about 15 years ago

  • Status changed from Closed to Reopened

It's not a public project.

Setup to reproduce

  1. Create a new Role called 'Changeset Viewer' uncheck every check-box, except for "View changests" @ Repository;
  2. Create a new user called 'onlyrepo';
  3. Create a new project 'test' (not public, modules: repository, issues);
  4. Assign user 'onlyrepo' to project 'test' with the role of 'Changeset Viewer';
  5. Create some issues in the 'test' project with your admin user;
  6. Update the issues with random content;
  7. Do some commits on the reository;

Tests

With the user 'onlyrepo'.

Shouldn't view issues

The Issues tab shouldn't be visible, and trying to access it via URL should return 403.

Should only view activity for changesets

Access to Activity should only changesets, and no issues updates;

Actions #4

Updated by Jean-Philippe Lang about 15 years ago

  • Status changed from Reopened to Closed

Sorry. I'll make it clearer:
Issues of public project can be seen by anyone and issues are always visible by project members.

That's the way it works for now. Again, see #3187.

Actions

Also available in: Atom PDF