Modify

Opened 5 years ago

Closed 2 years ago

#6017 closed defect (worksforme)

Ticket-Restrictions have no effect on Reports and Queries

Reported by: anonymous Owned by: rjollos
Priority: highest Component: PrivateTicketsPlugin
Severity: blocker Keywords:
Cc: Trac Release: 0.11

Description

The permissions work well for viewing tickets, but there are no restrictions on the report- and query-pages, i.e. all tickets are shown on these pages.

Actually for each ticket the permissions should be checked and only listed if the permissions allow it, otherwise users can at least see some information (like summary) about tickets they should not see.

Attachments (0)

Change History (5)

comment:1 Changed 5 years ago by anonymous

On my install this is not the case, if a milestone has private tickets not viewable by myself, the milestone itself is listed in the reports, but the private tickets are not.

comment:2 follow-up: Changed 5 years ago by anonymous

I have just rechecked this ...

Permissions TICKET_VIEW_REPORTER & TICKET_VIEW_REPORTER_GROUP show all Tickets (even those not reported by the current user), Permission TICKET_VIEW_REPORTER shows the user only his reported tickets, Permission TICKET_VIEW_REPORTER_GROUP shows the reporter all tickets.

So it seems that there is something wrong with the Permission TICKET_VIEW_REPORTER_GROUP.

comment:3 Changed 5 years ago by rjollos

  • Cc rjollos added; anonymous removed

comment:4 in reply to: ↑ 2 Changed 2 years ago by rjollos

  • Cc anonymous added; rjollos removed
  • Owner changed from coderanger to rjollos
  • Status changed from new to assigned

Replying to anonymous:

I have just rechecked this ...

Permissions TICKET_VIEW_REPORTER & TICKET_VIEW_REPORTER_GROUP show all Tickets (even those not reported by the current user), Permission TICKET_VIEW_REPORTER shows the user only his reported tickets, Permission TICKET_VIEW_REPORTER_GROUP shows the reporter all tickets.

So it seems that there is something wrong with the Permission TICKET_VIEW_REPORTER_GROUP.

I've found a way to reproduce some similar behavior with the latest PrivateTicketsPlugin trunk (r11498) and Trac 0.11.0. Use the following trac.ini configuration:

[privatetickets]
group_blacklist = anonymous

Now, a user with TICKET_VIEW_REPORTER_GROUP will share the authenticated group with every other authenticated user, and we've effectively added authenticated to the list of groups that are used for group permission checks by removing it from the blacklist. A ticket query by a user with TICKET_VIEW_REPORTER_GROUP will now return every ticket that was created by an authenticated user. I'd expect similar behavior for the other GROUP permissions under this scenario.

Is it possible that this is the issue you were experiencing? I'd need more information about your Trac configuration to dig deeper.

comment:5 Changed 2 years ago by rjollos

  • Resolution set to worksforme
  • Status changed from assigned to closed

Closing since there has been no feedback.

Add Comment

Modify Ticket

Action
as closed The owner will remain rjollos.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.