Modify

Opened 7 years ago

Closed 5 years ago

#6017 closed defect (worksforme)

Ticket-Restrictions have no effect on Reports and Queries

Reported by: anonymous Owned by: Ryan J Ollos
Priority: highest Component: PrivateTicketsPlugin
Severity: blocker Keywords:
Cc: Trac Release: 0.11

Description

The permissions work well for viewing tickets, but there are no restrictions on the report- and query-pages, i.e. all tickets are shown on these pages.

Actually for each ticket the permissions should be checked and only listed if the permissions allow it, otherwise users can at least see some information (like summary) about tickets they should not see.

Attachments (0)

Change History (5)

comment:1 Changed 7 years ago by anonymous

On my install this is not the case, if a milestone has private tickets not viewable by myself, the milestone itself is listed in the reports, but the private tickets are not.

comment:2 Changed 7 years ago by anonymous

I have just rechecked this ...

Permissions TICKET_VIEW_REPORTER & TICKET_VIEW_REPORTER_GROUP show all Tickets (even those not reported by the current user), Permission TICKET_VIEW_REPORTER shows the user only his reported tickets, Permission TICKET_VIEW_REPORTER_GROUP shows the reporter all tickets.

So it seems that there is something wrong with the Permission TICKET_VIEW_REPORTER_GROUP.

comment:3 Changed 7 years ago by Ryan J Ollos

Cc: Ryan J Ollos added; anonymous removed

comment:4 in reply to:  2 Changed 5 years ago by Ryan J Ollos

Cc: anonymous added; Ryan J Ollos removed
Owner: changed from Noah Kantrowitz to Ryan J Ollos
Status: newassigned

Replying to anonymous:

I have just rechecked this ...

Permissions TICKET_VIEW_REPORTER & TICKET_VIEW_REPORTER_GROUP show all Tickets (even those not reported by the current user), Permission TICKET_VIEW_REPORTER shows the user only his reported tickets, Permission TICKET_VIEW_REPORTER_GROUP shows the reporter all tickets.

So it seems that there is something wrong with the Permission TICKET_VIEW_REPORTER_GROUP.

I've found a way to reproduce some similar behavior with the latest PrivateTicketsPlugin trunk (r11498) and Trac 0.11.0. Use the following trac.ini configuration:

[privatetickets]
group_blacklist = anonymous

Now, a user with TICKET_VIEW_REPORTER_GROUP will share the authenticated group with every other authenticated user, and we've effectively added authenticated to the list of groups that are used for group permission checks by removing it from the blacklist. A ticket query by a user with TICKET_VIEW_REPORTER_GROUP will now return every ticket that was created by an authenticated user. I'd expect similar behavior for the other GROUP permissions under this scenario.

Is it possible that this is the issue you were experiencing? I'd need more information about your Trac configuration to dig deeper.

comment:5 Changed 5 years ago by Ryan J Ollos

Resolution: worksforme
Status: assignedclosed

Closing since there has been no feedback.

Modify Ticket

Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.