Field permissions ignored in timeline

[ronino]

I configured my Trac to not expose timing data to users without TIME_VIEW permission (with TIME_VIEW:remove in trac.ini). But in the timeline, those users still see that those fields have been changed (unlike in the ticket changelog where those information are hidden).

For example, the user can read in some timeline ticket change entry:

Add Hours to Ticket, Total Hours changed

In my opinion, those information should be removed from the timeline in those circumstances, otherwise those users wonder what those entries mean.

[Russ Tyndall]

It is definitely the intention that the timeline hide those details from users without permissions to them. Looking into this now.

[Russ Tyndall]

My guess is that these were not on the timeline in an earlier version of trac, or perhaps they were just missed since they had no data. Either way I just pushed a new version 1.1.6b that should correctly remove fields from the timeline for you.

[10267]

Thanks for the bug report

[ronino]

Man, you are fast as opposed to me ;-). Thanks again.

I installed the new version, but unfortunately, the timeline didn't change. Assuming that it maybe has to due with my using German as default language, I reset the labels to your strings and set English as frontend language, but changes of timing data fields are still visible for users without TIME_VIEW permission.

When installing the upgrade, I simply replaced the old plugin folder with the new one and restarted Apache. Did I miss something?

[Russ Tyndall]

You might need to enable the TimelinePermissionFilter in webadmin trac.ini depending on how you have stuff setup. If it is setup and enabled you should see "Timeline Filter" events in your trac debug log, whether or not it was working.

I dont think the label should change anything as we are using the value specified in the ini. It worked for me but it is definitely possible I missed something.

[Russ Tyndall]

Going to go ahead and close, if this is still a bug, please reopen.