Opened 4 years ago
Closed 11 months ago
#6017 closed defect (worksforme)
Ticket-Restrictions have no effect on Reports and Queries
| Reported by: | anonymous | Owned by: | rjollos |
|---|---|---|---|
| Priority: | highest | Component: | PrivateTicketsPlugin |
| Severity: | blocker | Keywords: | |
| Cc: | Trac Release: | 0.11 |
Description
The permissions work well for viewing tickets, but there are no restrictions on the report- and query-pages, i.e. all tickets are shown on these pages.
Actually for each ticket the permissions should be checked and only listed if the permissions allow it, otherwise users can at least see some information (like summary) about tickets they should not see.
Attachments (0)
Change History (5)
comment:1 Changed 4 years ago by anonymous
comment:2 follow-up: ↓ 4 Changed 4 years ago by anonymous
I have just rechecked this ...
Permissions TICKET_VIEW_REPORTER & TICKET_VIEW_REPORTER_GROUP show all Tickets
(even those not reported by the current user),
Permission TICKET_VIEW_REPORTER shows the user only his reported tickets,
Permission TICKET_VIEW_REPORTER_GROUP shows the reporter all tickets.
So it seems that there is something wrong with the Permission TICKET_VIEW_REPORTER_GROUP.
comment:3 Changed 4 years ago by rjollos
- Cc rjollos added
comment:4 in reply to: ↑ 2 Changed 13 months ago by rjollos
- Cc rjollos removed
- Owner changed from coderanger to rjollos
- Status changed from new to assigned
Replying to anonymous:
I have just rechecked this ...
Permissions TICKET_VIEW_REPORTER & TICKET_VIEW_REPORTER_GROUP show all Tickets
(even those not reported by the current user),
Permission TICKET_VIEW_REPORTER shows the user only his reported tickets,
Permission TICKET_VIEW_REPORTER_GROUP shows the reporter all tickets.
So it seems that there is something wrong with the Permission TICKET_VIEW_REPORTER_GROUP.
I've found a way to reproduce some similar behavior with the latest PrivateTicketsPlugin trunk (r11498) and Trac 0.11.0. Use the following trac.ini configuration:
[privatetickets] group_blacklist = anonymous
Now, a user with TICKET_VIEW_REPORTER_GROUP will share the authenticated group with every other authenticated user, and we've effectively added authenticated to the list of groups that are used for group permission checks by removing it from the blacklist. A ticket query by a user with TICKET_VIEW_REPORTER_GROUP will now return every ticket that was created by an authenticated user. I'd expect similar behavior for the other GROUP permissions under this scenario.
Is it possible that this is the issue you were experiencing? I'd need more information about your Trac configuration to dig deeper.
comment:5 Changed 11 months ago by rjollos
- Resolution set to worksforme
- Status changed from assigned to closed
Closing since there has been no feedback.
On my install this is not the case, if a milestone has private tickets not viewable by myself, the milestone itself is listed in the reports, but the private tickets are not.