Vote #81394
完了Permission check of the setting button on the issues page mismatches button semantics
0%
説明
In source:/tags/4.2.0/app/views/issues/index.html.erb#L16 the link goes to the @issues@ tab of the project settings. The button is only shown if the user has the @manage_categories@ permission but the permission required for this tab is @edit_project@ source:/tags/4.2.0/app/helpers/projects_helper.rb#L28
Note that this is only a UI issue, the button might be shown to users that cannot see the tab that it links to or the button might not be shown to users that would be able to see the tab that it links too, but upon following the link the correct permission is checked. There also is no information disclosure associated with this issue.
journals
--------------------------------------------------------------------------------
I made a patch to fix & test the issue #35090, and attach it.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Setting the target version to 4.1.5.
--------------------------------------------------------------------------------
Committed the patch. Thank you for your contribution.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
related_issues
relates,Closed,22090,Make project settings more accessible