Defect #3747
closed
"Issues" tab showing for users without any Issues permission
Added by Enderson Maia over 15 years ago.
Updated about 15 years ago.
Category:
Permissions and roles
Description
I configured a Role with "Issues can be assigned to this role" unchecked and only with "View changests" permission checked for Repository access.
When I login with this user, I can see the "Issues" tab, and all issues.
Config
Redmine 0.8.4
Ruby on Rails 2.1.2
ruby 1.8.6 (2008-08-11 patchlevel 287) [x86_64-linux] Ruby Enterprise Edition 20090610
mysql Ver 14.12 Distrib 5.0.45, for redhat-linux-gnu (x86_64) using readline 5.0
The same occurs for the "News" tab.
Is this the expected behavior ?
- Status changed from New to Closed
- Affected version (unused) deleted (
0.8.4)
- Resolution set to Invalid
- Affected version deleted (
0.8.4)
Yes, it is. Issues of public project can be seen by anyone.
See also #3187.
- Status changed from Closed to Reopened
It's not a public project.
Setup to reproduce¶
- Create a new Role called 'Changeset Viewer' uncheck every check-box, except for "View changests" @ Repository;
- Create a new user called 'onlyrepo';
- Create a new project 'test' (not public, modules: repository, issues);
- Assign user 'onlyrepo' to project 'test' with the role of 'Changeset Viewer';
- Create some issues in the 'test' project with your admin user;
- Update the issues with random content;
- Do some commits on the reository;
Tests¶
With the user 'onlyrepo'.
Shouldn't view issues¶
The Issues tab shouldn't be visible, and trying to access it via URL should return 403.
Should only view activity for changesets¶
Access to Activity should only changesets, and no issues updates;
- Status changed from Reopened to Closed
Sorry. I'll make it clearer:
Issues of public project can be seen by anyone and issues are always visible by project members.
That's the way it works for now. Again, see #3187.
Also available in: Atom
PDF
Updated by 
Updated by