Feature #5922
closed
Ability to ignore current user in Query model
0%
Description
Right now Query model uses logged in user for checking permissions and creating statements thus making impossible to make queries inside plugin which will extract information from projects not visible to current user.
For example, if i want to display some information to user from projects that not seen by him, i am unable to use Query for building statement for my find request.
Updated by Holger Just over 14 years ago
- Category changed from Plugin API to Issues
- Assignee deleted (
Jean-Philippe Lang)
Updated by Holger Just 9 months ago
- Status changed from New to Closed
- Resolution set to Wont fix
The security approach by Redmine is generally that any data shown to the user should only reflect data the user can see, even if aggregated. As such, users should generally not see of be able to infer any information about projects or other data not visible to them.
Checking the current user and their permissions is thus a core part of ensuring the security of Redmine which I would strongly hesitate to weaken. Especially the query models are rather complex which would make it hard to provide a useful compromise here.
In any case, using a query model in a plugin without exposing the actual full query user interface appears rather strange. Instead, if you positively HAVE TO access data not visible to a user, you ca use plain active record queries in your plugin and apply the required search scopes there. Here, it is usually not required to use a Query model at all.