Defect #9278
closed
Even without Permission "View Issues" or "View spent time " I can acces those pages...
Added by Stéphane Carré about 13 years ago.
Updated about 13 years ago.
Category:
Permissions and roles
Description
In my Redmine configuration I have a "very poor" role without permission "View Issues" and "View spent time".
But when accessing projets page with a user having only this role I have the projects menu :
View all issues | Overall spent time | Overall activity
... and I can access those links when clicking.
Is there a bug or did I missunderstood something ?
- Category changed from Issues permissions to Permissions and roles
Stéphane Carré wrote:
In my Redmine configuration I have a "very poor" role without permission "View Issues" and "View spent time".
But when accessing projets page with a user having only this role I have the projects menu :
View all issues | Overall spent time | Overall activity
... and I can access those links when clicking.
Is there a bug or did I missunderstood something ?
This is not a defect actually. You won't see issues, spent-time entries or other activity from projects which are not public and where the specific user don't have permissions to according to his role for the project.
Those three views are always visible to any user but only the data the user has explicitly access to is actually displayed.
Ok, now I understand the utility of the public flag for a project !
But this time I don't understand the need for the 2 permissions "view issues" and "view spent time" if they are never used !
Stéphane Carré wrote:
But this time I don't understand the need for the 2 permissions "view issues" and "view spent time" if they are never used !
They are used actually. All the permissions are assignable to seperate roles in which project members can operate for each seperate (not-public) project.
- Status changed from New to Resolved
Ok this is not a bug.
I understand that the menu buttons "View all issues", "Overall spent time", "Overall activity" are globals to all projects and that permissions "View Issues" and "View spent time" are relative to each project.
Sorry
- Status changed from Resolved to Closed
- Resolution set to Invalid
Stéphane Carré wrote:
Ok this is not a bug.
[...] and that permissions "View Issues" and "View spent time" are relative to each project.
Not per definition. Both individual permissions can be/are granted to the system roles "Non member" and "Anonymous" also, thus (in an open Redmine-instance) effectively these permissions can work on a global (project-wide) level too.
Stéphane Carré wrote:
Sorry
No need to say sorry here IMHO. The permissions-system currently in use by Redmine is not very-well documented and has some drawbacks and caveats.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by