Project

General

Profile

Actions

Feature #5922

closed

Ability to ignore current user in Query model

Added by Vitaly Klimov over 13 years ago. Updated 20 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Issues
Target version:
-
Start date:
2010-07-21
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix

Description

Right now Query model uses logged in user for checking permissions and creating statements thus making impossible to make queries inside plugin which will extract information from projects not visible to current user.

For example, if i want to display some information to user from projects that not seen by him, i am unable to use Query for building statement for my find request.

Actions #1

Updated by Holger Just over 13 years ago

  • Category changed from Plugin API to Issues
  • Assignee deleted (Jean-Philippe Lang)
Actions #2

Updated by Holger Just 20 days ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

The security approach by Redmine is generally that any data shown to the user should only reflect data the user can see, even if aggregated. As such, users should generally not see of be able to infer any information about projects or other data not visible to them.

Checking the current user and their permissions is thus a core part of ensuring the security of Redmine which I would strongly hesitate to weaken. Especially the query models are rather complex which would make it hard to provide a useful compromise here.

In any case, using a query model in a plugin without exposing the actual full query user interface appears rather strange. Instead, if you positively HAVE TO access data not visible to a user, you ca use plain active record queries in your plugin and apply the required search scopes there. Here, it is usually not required to use a Query model at all.

Actions

Also available in: Atom PDF