Vote #64515: Cross project issue relations and user permissions - redmineorg-copy202205 - Redmine

編集操作

リンクをコピー

Vote #64515

完了

Cross project issue relations and user permissions

Admin Redmine さんがほぼ2年前に追加. ほぼ2年前に更新.

ステータス:

Closed

優先度:

通常

担当者:

カテゴリ:

Issues_2

対象バージョン:

0.9.0_6

開始日:

2009/01/26

期日:

進捗率:

予定工数:

1.00時間

Redmineorg_URL:

https://www.redmine.org/issues/2589

category_id:

version_id:

issue_org_id:

2589

author_id:

2928

assigned_to_id:

comments:

status_id:

tracker_id:

plus1:

affected_version:

closed_on:

affected_version_id:

ステータス-->[Closed]

引用

説明

I have an odd use-case here. Administrator Alice enables cross-project issue relations, creates a private project and creates issue 1 (an issue User Bob can't see). Bob, who belongs to a public project, creates issue 2. Being the sneaky user that he is, he wants to see what tickets private trackers have. He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!

Basically, cross-project issue relations aren't respecting user permissions to see the ticket (or its subject). The issue relation could be kept, for sure, just not displayed to that user.

I gather the fix is to restrict what issue relations show according the the viewing user's permissions, yeah?

journals

> He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!

This is fixed in r2323. Users are no longer able to add relation on tickets they're not allowed to view.

TODO: do not show a relation if the related issue can not be viewed.
--------------------------------------------------------------------------------
Last part is fixed in r2343.
The relation will be hidden if the user is not allowed to view the related issue.
--------------------------------------------------------------------------------