Opened 15 years ago
Closed 12 years ago
#6017 closed defect (worksforme)
Ticket-Restrictions have no effect on Reports and Queries
| Reported by: | anonymous | Owned by: | Ryan J Ollos |
|---|---|---|---|
| Priority: | highest | Component: | PrivateTicketsPlugin |
| Severity: | blocker | Keywords: | |
| Cc: | Trac Release: | 0.11 |
Description
The permissions work well for viewing tickets, but there are no restrictions on the report- and query-pages, i.e. all tickets are shown on these pages.
Actually for each ticket the permissions should be checked and only listed if the permissions allow it, otherwise users can at least see some information (like summary) about tickets they should not see.
Attachments (0)
Change History (5)
comment:1 Changed 15 years ago by
comment:2 follow-up: 4 Changed 15 years ago by
I have just rechecked this ...
Permissions TICKET_VIEW_REPORTER & TICKET_VIEW_REPORTER_GROUP show all Tickets (even those not reported by the current user), Permission TICKET_VIEW_REPORTER shows the user only his reported tickets, Permission TICKET_VIEW_REPORTER_GROUP shows the reporter all tickets.
So it seems that there is something wrong with the Permission TICKET_VIEW_REPORTER_GROUP.
comment:3 Changed 15 years ago by
| Cc: | Ryan J Ollos added; anonymous removed |
|---|
comment:4 Changed 12 years ago by
| Cc: | anonymous added; Ryan J Ollos removed |
|---|---|
| Owner: | changed from Noah Kantrowitz to Ryan J Ollos |
| Status: | new → assigned |
Replying to anonymous:
I have just rechecked this ...
Permissions TICKET_VIEW_REPORTER & TICKET_VIEW_REPORTER_GROUP show all Tickets (even those not reported by the current user), Permission TICKET_VIEW_REPORTER shows the user only his reported tickets, Permission TICKET_VIEW_REPORTER_GROUP shows the reporter all tickets.
So it seems that there is something wrong with the Permission TICKET_VIEW_REPORTER_GROUP.
I've found a way to reproduce some similar behavior with the latest PrivateTicketsPlugin trunk (r11498) and Trac 0.11.0. Use the following trac.ini configuration:
[privatetickets] group_blacklist = anonymous
Now, a user with TICKET_VIEW_REPORTER_GROUP will share the authenticated group with every other authenticated user, and we've effectively added authenticated to the list of groups that are used for group permission checks by removing it from the blacklist. A ticket query by a user with TICKET_VIEW_REPORTER_GROUP will now return every ticket that was created by an authenticated user. I'd expect similar behavior for the other GROUP permissions under this scenario.
Is it possible that this is the issue you were experiencing? I'd need more information about your Trac configuration to dig deeper.
comment:5 Changed 12 years ago by
| Resolution: | → worksforme |
|---|---|
| Status: | assigned → closed |
Closing since there has been no feedback.
On my install this is not the case, if a milestone has private tickets not viewable by myself, the milestone itself is listed in the reports, but the private tickets are not.