Vote #77864
完了Per role visibility settings for version custom fields
0%
説明
For issue custom fields, one can already select which roles should be allowed to view this field.
This patch, developed at "Planio":https://plan.io/redmine-hosting and sponsored by "SDZeCOM GmbH":http://www.sdzecom.de, introduces the same setting for project and version custom fields.
journals
--------------------------------------------------------------------------------
turns out the patch led to invalid SQL for project custom fields, here is an updated version which overrides @CustomField#visibility_by_project_condition@ in @ProjectCustomField@ to work with the correct @project_key@ (that is, @projects.id@ instead of @projects.project_id@).
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Could you add tests like r12012?
--------------------------------------------------------------------------------
Hello,
When we may expect custome fields per role visibility available? (this could be really powerfull feature)
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
I'll update these patches in order to be applied on top of #31859. Jens Krämer, maybe you'll have time to review my work.
--------------------------------------------------------------------------------
Sure!
--------------------------------------------------------------------------------
I've attached the patch that adds per role visibility settings for project.
Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings. This issue can be easily reproduced using the test @test_settings_should_not_display_custom_fields_not_visible_for_user@ added by me in @test/functional/projects_controller_test@.
Also, in order to keep the current behaviour where a custom field can be displayed in @project#show@ only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of @visible: false@). Otherwise, we need to add a new option to visibility in order to allow "admin only".
Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/76036437
Jens Krämer, Go Maeda, what do you think about these changes?
--------------------------------------------------------------------------------
Marius BALTEANU wrote:
> Working on it, I've observed an inconsistent behaviour (which I consider it a defect/security issue), the project custom fields not visible for normal users are still visible in project settings for those users who have access to project settings.
The behavior will be fixed by your patch and the new behavior is straightforward.
> Also, in order to keep the current behaviour where a custom field can be displayed in @project#show@ only for admin users, we cannot validate the roles values when saving a project custom field (as we do for issues/spent entries) in order to allow saving a custom field with "to these roles only:" checked, but without any role checked (which is the equivalent of @visible: false@).
I think it is OK.
--------------------------------------------------------------------------------
Looks good to me!
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Attached the patch for version custom fields.
@Jens, do you remember why did you override the @safe_attributes=@ method in your proposed patch for @Version@?
Tests pass: https://gitlab.com/redmine-org/redmine/pipelines/77404580
--------------------------------------------------------------------------------
@Marius - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.
--------------------------------------------------------------------------------
Jens Krämer wrote:
> @Marius - From the looks of it I would say I did that to prevent a user from setting the values of fields they cannot see through a crafted request. The same logic is present in the issue model. strictly speaking the same should be done for projects.
Got it, thanks. Next week I’ll add new patches to implement this logic to Spent time, Project and Version.
Until then, we can deliver this one.
--------------------------------------------------------------------------------
Committed the patch. Thank you for your contribution.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
related_issues
relates,Closed,5037,Role-based issue custom field visibility
relates,Closed,31859,Per role visibility settings for spent time custom fields
relates,Closed,31925,Per role visibility settings for project custom fields
relates,Closed,31954,Reject project/version custom field values not visible to user
duplicates,Closed,15416,Role-based issue custom field visibility for projects