Project

General

Profile

Actions
Copy link

Defect #41465

closed

"Import issues" and "Import time entries" pages are visible to users without "Add issues" and "Log spent time" permissions

Added by Kenta Kumojima 2 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Go MAEDA
Category:
Importers
Target version:
5.0.10
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

User without log_time permission can access /time_entry/imports/new. (this user has import_time_entry permission)
if the user try to import, internal error occured.

ActionView::Template::Error (undefined method `activities' for nil:NilClass

    project.activities
           ^^^^^^^^^^^):

Causes:
NoMethodError (undefined method `activities' for nil:NilClass

    project.activities
           ^^^^^^^^^^^)
     7: <p>
     8:   <label for="import_mapping_activity"><%= l(:field_activity) %></label>
     9:   <%= mapping_select_tag @import, 'activity', :required => true,
    10:         :values => @import.allowed_target_activities.sorted.map {|t| [t.name, t.id]} %>
    11: </p>
    12:
    13: <div class="splitcontent">

app/models/time_entry_import.rb:52:in `allowed_target_activities'
app/views/imports/_time_entries_fields_mapping.html.erb:10
app/views/imports/_time_entries_mapping.html.erb:4
app/views/imports/mapping.html.erb:4
app/views/imports/mapping.html.erb:3
lib/redmine/sudo_mode.rb:78:in `sudo_mode'

so, this patch adds checking log_time permission to `TimeEntryImport.authorized?.`

Files

Download all files
import_time_entry.patch (2.49 KB) import_time_entry.patch Kenta Kumojima, 2024-10-10 10:48
import_time_entry.patch (2.54 KB) import_time_entry.patch Kenta Kumojima, 2024-10-10 10:57
import_issue_and_time_entry.patch (5.08 KB) import_issue_and_time_entry.patch Kenta Kumojima, 2024-10-11 16:55
import_issue_and_time_entry-v2.patch (3.47 KB) import_issue_and_time_entry-v2.patch Go MAEDA, 2024-10-28 03:03
Actions
Copy link
 #2

Updated by Go MAEDA 2 months ago

  • Tracker changed from Patch to Defect
  • Status changed from New to Confirmed

Thank you for detecting and reporting the issue.

I found IssueImport.authorized? has a similar problem. It should check :add_issues permission.

Actions
Copy link
 #3

Updated by Go MAEDA 2 months ago

  • Target version set to 5.0.10
Actions
Copy link
 #4

Updated by Kenta Kumojima 2 months ago

I found IssueImport.authorized? has a similar problem. It should check :add_issues permission.

I added checking add_issues permission when importing issues and updated patch.

Actions
Copy link
 #5

Updated by Go MAEDA about 2 months ago

I have updated the patch to apply to the current trunk cleanly.

Actions
Copy link
 #6

Updated by Go MAEDA about 2 months ago

  • Status changed from Confirmed to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

I have committed the fix in r23178. Thank you for your contribution.

I didn't set this issue's category to "Security" because, although the import pages are visible to users without permissions, the import process will fail.

Actions
Copy link

Also available in: Atom PDF