Defect #3747
closed"Issues" tab showing for users without any Issues permission
0%
Description
I configured a Role with "Issues can be assigned to this role" unchecked and only with "View changests" permission checked for Repository access.
When I login with this user, I can see the "Issues" tab, and all issues.
Config
Redmine 0.8.4 Ruby on Rails 2.1.2 ruby 1.8.6 (2008-08-11 patchlevel 287) [x86_64-linux] Ruby Enterprise Edition 20090610 mysql Ver 14.12 Distrib 5.0.45, for redhat-linux-gnu (x86_64) using readline 5.0
Updated by Enderson Maia over 15 years ago
The same occurs for the "News" tab.
Is this the expected behavior ?
Updated by Jean-Philippe Lang about 15 years ago
- Status changed from New to Closed
- Affected version (unused) deleted (
0.8.4) - Resolution set to Invalid
- Affected version deleted (
0.8.4)
Yes, it is. Issues of public project can be seen by anyone.
See also #3187.
Updated by Enderson Maia about 15 years ago
- Status changed from Closed to Reopened
It's not a public project.
Setup to reproduce¶
- Create a new Role called 'Changeset Viewer' uncheck every check-box, except for "View changests" @ Repository;
- Create a new user called 'onlyrepo';
- Create a new project 'test' (not public, modules: repository, issues);
- Assign user 'onlyrepo' to project 'test' with the role of 'Changeset Viewer';
- Create some issues in the 'test' project with your admin user;
- Update the issues with random content;
- Do some commits on the reository;
Tests¶
With the user 'onlyrepo'.
Shouldn't view issues¶
The Issues tab shouldn't be visible, and trying to access it via URL should return 403.
Should only view activity for changesets¶
Access to Activity should only changesets, and no issues updates;
Updated by Jean-Philippe Lang about 15 years ago
- Status changed from Reopened to Closed
Sorry. I'll make it clearer:
Issues of public project can be seen by anyone and issues are always visible by project members.
That's the way it works for now. Again, see #3187.