Project

General

Profile

Actions

Defect #9566

closed

Redmine.pm considers all projects private when login_required is enabled

Added by Guillaume Perréal about 13 years ago. Updated about 13 years ago.

Status:
Closed
Priority:
Normal
Category:
SCM extra
Target version:
Start date:
2011-11-14
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

When the "login_required" setting is enabled, Redmine.pm consider all projects as private, which prevents non-member access to public projects.

Actions #1

Updated by Jean-Philippe Lang about 13 years ago

  • Status changed from New to Resolved
  • Resolution set to Fixed

This should be fixed in r7808. Can you confirm?

Actions #2

Updated by Jean-Philippe Lang about 13 years ago

  • Assignee set to Jean-Philippe Lang
Actions #3

Updated by Guillaume Perréal about 13 years ago

With r7808, providing any login/password always allows reading on public projects, even if the user does not exist or the password is wrong.

Actions #4

Updated by Jean-Philippe Lang about 13 years ago

  • Status changed from Resolved to Confirmed
  • Resolution deleted (Fixed)

Indeed and I've just reverted it. The fix needs more refactoring.

Actions #5

Updated by Jean-Philippe Lang about 13 years ago

  • File 9566.patch added

The attached patch should handle the access of non members. Feedback is welcome.

Actions #6

Updated by Guillaume Perréal about 13 years ago

I think "cast(projects.is_public as CHAR) IN ('t', '1')" could be handled as "projects.is_public" since it should be a boolean and I do not know if this SQL is allowed with all RDMBS. ("t" is just how DBI returns PostgreSQL true value.) I will test it with Mysql and maybe Sqlite. By the way, I am not sure how this change would affect the RedmineDbQuery directive.

Actions #7

Updated by Jean-Philippe Lang about 13 years ago

Guillaume Perréal wrote:

I think "cast(projects.is_public as CHAR) IN ('t', '1')" could be handled as "projects.is_public" since it should be a boolean

It doesn't work with sqlite3.

and I do not know if this SQL is allowed with all RDMBS. ("t" is just how DBI returns PostgreSQL true value.) I will test it with Mysql and maybe Sqlite.

It should work with mysql, postgresql and sqlite3.

By the way, I am not sure how this change would affect the RedmineDbQuery directive.

The members and member_roles are no longer available for additional conditions but I don't think it really makes sense to add custom conditions on these tables.

Actions #8

Updated by Guillaume Perréal about 13 years ago

There is a small typo in the subquery: it selects member_roles.id where it should be member_roles.role_id. Once fixed, it behaves as expected: I tested it with roles manager, reviever and non-member for reading and writing access.

Actions #9

Updated by Jean-Philippe Lang about 13 years ago

  • Status changed from Confirmed to Resolved
  • Target version set to 1.2.3

Fixed patch applied, thanks for the feedback.

Actions #10

Updated by Jean-Philippe Lang about 13 years ago

  • File deleted (9566.patch)
Actions #11

Updated by Jean-Philippe Lang about 13 years ago

  • Status changed from Resolved to Closed

Merged.

Actions

Also available in: Atom PDF