Vote #72772
未完了Time entries of private issues are visible by users without permission to see them
0%
説明
By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.
Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)
journals
Hi,
i can confirm this with current trunk (10781)!
--------------------------------------------------------------------------------
This can be fixed with the following modifications on the *TimeEntry* model:
<pre><code class="ruby">
# Create this method
def self.visible_condition(user, options={})
"(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})"
end
# Update the :visible scope
scope :visible, lambda {|*args| {
:include => [:project, :issue],
:conditions => TimeEntry.visible_condition(args.shift || User.current, *args)
}}
</code></pre>
With these changes, time entries on private issues will no longer be visible neither on search results page nor on the */projects/:id/time_entries* page.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
What status is this issue?
--------------------------------------------------------------------------------
Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.
Is this a defect or it's the expected behaviour?
--------------------------------------------------------------------------------
Admin Redmine さんが約2年前に更新
- カテゴリ を Time tracking_13 にセット
- 対象バージョン を Candidate for next minor release_33 にセット