Defect #6060
closed
restricted user can access projects list and issue contents
0%
Description
Hello,
I did add a new user with the permission to access the files section of a single project. When the performig a login with this new user I did experience the following problems:
- the user gets an error message after logging in
- the list of projects is accessible
- when entering project via the project list all issues are accessable (of every project).
- when entering projects, where access has been granted, the checking for permissions seems to work properly. However, I did grant access to the files section, but the sections 'Activity' and 'News' are available, too.
I do set the priority to 'high' because of the possibility to access data within non-public projects.
Updated by Mario Scondo almost 14 years ago
- Files > View Files
It seams, that the 'restricted' account has access to contents of 'public' projects. But the assigned role contains 'Issue tracking > View Issues' == False.
Updated by Felix Schäfer almost 14 years ago
- Status changed from New to Closed
- Resolution set to Invalid
Mario Scondo wrote:
It seams, that the 'restricted' account has access to contents of 'public' projects. But the assigned role contains 'Issue tracking > View Issues' == False.
All logged in users also have "non member" (logged in but not member of the project) and "anonymous" (not logged in) permissions on public projects. I think you should read up on the permissions system in redmine, as your confusion seems to stem from there.
Updated by Fredrick Spinks